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Preface 



The AAECC Symposia Series was started in 1983 by Alain Poli (Toulouse), who, 
together with R. Desq, D. hazard, and P. Camion, organized the first conference. 
Originally the acronym AAECC meant “Applied Algebra and Error-Correcting 
Codes” . Over the years its meaning has shifted to “Applied Algebra, Algebraic 
Algorithms, and Error-Correcting Codes” , reflecting the growing importance of 
complexity in both decoding algorithms and computational algebra. 

AAECC aims to encourage cross-fertilization between algebraic methods and 
their applications in computing and communications. The algebraic orientation 
is towards finite fields, complexity, polynomials, and graphs. The applications 
orientation is towards both theoretical and practical error-correction coding, and, 
since AAECC 13 (Hawaii, 1999), towards cryptography. AAECC was the first 
symposium with papers connecting Grobner bases with E-C codes. The balance 
between theoretical and practical is intended to shift regularly; at AAECC- 14 
the focus was on the theoretical side. 

The main subjects covered were: 

— Codes: iterative decoding, decoding methods, block codes, code construction. 

— Codes and algebra: algebraic curves, Grobner bases, and AG codes. 

— Algebra: rings and fields, polynomials. 

— Codes and combinatorics: graphs and matrices, designs, arithmetic. 

— Cryptography. 

— Computational algebra: algebraic algorithms. 

— Sequences for communications. 

Six invited speakers covered the areas outlined: 

— Robert Calderbank, “Combinatorics, Quantum Computers, and Cellular 
Phones” 

— James Massey, “The Ubiquity of Reed-Muller Codes” 

— Graham Norton, “Grobner Bases over a Principal Ideal Ring” 

— Vera Pless, “Self-dual Codes - Theme and Variations” 

— Amin Shokrollahi, “Design of Differential Space-Time Codes Using Group 
Theory” 

— Madhu Sudan, “Ideal Error-Correcting Codes: Unifying Algebraic and 
Number-Theoretic Algorithms” . 

Except for AAECC-1 {Discrete Mathematics 56, 1985) and AAECC-7 {Dis- 
crete Applied Mathematics 33, 1991), the proceedings of all the symposia have 
been published in Springer- Ver lag’s Lecture Notes in Computer Science (Vols. 
228, 229, 307, 356, 357, 508, 539, 673, 948, 1255, 1719). 

It is a policy of AAECC to maintain a high scientific standard, comparable 
to that of a journal. This has been made possible thanks to the many refer- 
ees involved. Each submitted paper was evaluated by at least two international 
researchers. 




VI 



Preface 



AAECC-14 received and refereed 61 submissions. Of these, 1 was withdrawn, 
36 were selected for publication in these proceedings, while 7 additional works 
contributed to the symposium as oral presentations. Unrefereed talks were pre- 
sented in a “Recent Results” session. 

The symposium was organized by Serdar Bozta§, Tom Hpholdt, Kathy Ho- 
radam, Igor E. Shparlinski, and Branka Vucetic, with the help of Asha Baliga, 
Pride Conference Management (Juliann Smith), and the Department of Math- 
ematics, RMIT University. It was sponsored by the Australian Mathematical 
Society. 

We express our thanks to the staff of Springer- Verlag, especially Alfred Hof- 
mann and Anna Kramer, for their help in the preparation of these proceedings. 



August 2001 Serdar Bozta§ and Igor E. Shparlinski 
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ETH-Ziirich and Lund University 
Trondhjemsgade 3 2TH, DK-2100 Copenhagen East 
JamesMasseyScompuserve . com 



Abstract. It is argued that the nearly fifty-year-old Reed-Muller codes 
underlie a surprisingly large number of algebraic problems in coding and 
cryptography. This thesis is supported by examples that include some 
new results such as the construction of a new class of constant-weight 
cyclic codes with a remarkably simple decoding algorithm and a much 
simplified derivation of the well-known upper bound on the linear com- 
plexity of the running key produced by a nonlinearly filtered maximal- 
length shift-register. 



1 Introduction 

The Reed-Muller codes, which were actually discovered by Muller [1], were the 
first nontrivial class of multiple-error-correcting codes. Reed [2] gave a simple 
majority-logic decoding algorithm for these binary codes that corrects all errors 
guaranteed correctable by their minimum distance; he also gave an insightful 
description of these codes that has been adopted by most later researchers and 
that we will also follow here. 

Nearly 50 years have passed since the discovery of the Reed-Muller codes. 
It is our belief that when one digs deeply into almost any algebraic problem 
in coding theory or cryptography, one finds these venerable codes (or closely 
related codes) lying at the bottom. We illustrate this “ubiquity” of the Reed- 
Muller codes in what follows with a number of examples that include some new 
results. 

In Section 2, we describe the two matrices whose properties underlie the 
construction and theory of the Reed-Muller codes. The codes themselves are 
introduced in Section 3. In Section 4 we show how the Reed-Muller codes have 
been used in a natural way to measure the nonlinearity of a binary function of 
m binary variables, a problem that arises frequently in cryptography. In Section 
5 we use Reed-Muller coding concepts to construct a new class of constant- 
weight cyclic codes that have an astonishingly simple decoding algorithm. The 
cyclic Reed-Muller codes are introduced in Section 6 where we also describe an 
“unconventional” encoder for these codes. This encoder is seen in Section 7 to 
be the same as the running-key generator for a stream cipher of the type called 
a nonlinearly filtered maximal-length shift register, which leads to an extremely 
simple derivation of a well-known upper bound on the linear complexity of the 
resulting running key. We conclude with some remarks in Section 8. 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 1-12, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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2 Two Useful Matrices 

In this section we describe two matrices whose properties will be exploited in 
the sequel. 

Let Mm denote the 2 ™ x 2™ binary matrix in which the entries in row 
i + 1 are the coefficients of (1 + x)* in order of ascending powers of x for i = 
0, 1) 2, . • ■ , 2™ — 1. For m = 3, this matrix is 

'1 0 0 0 0 0 0 O' 

11000000 
10100000 
_ 11110000 
“ 1 0 0 0 1 0 0 0 ■ 

11001100 

10101010 

11111111 

Some Properties of M^: 

1 . The i-th row of Mm is the z-th row of Pascal’s triangle with entries reduced 
modulo 2. Equivalently, each row after the first is obtained by adding the 
previous row to its own shift right by one position. 

2. The Hamming weight of row z + 1, z.e., the number of nonzero coefficients 
in (1 + x)*, is equal to the Hamming weight W2(i) of the radix-two repre- 
sentation of the integer i for z = 0, 1, 2 , . . . , 2’" — 1, cf. Lemma 1 in [3]. 

3. The matrix Mm is its own inverse, cf. [4]. 

4. The sum of any selection of rows of the matrix Mm has Hamming weight at 
least that of the uppermost row included in the sum, cf. Theorem 1.1 in [3]. 

Of special interest to us here will be the submatrix Am of Mm consisting of 
the m rows with Hamming weight 2'"“^. For m = 3, this matrix is 

'ail [1 1 1 1 0 0 0 0' 

A3 = a2 = 110 0 110 0 

agj [10101010 

where here and hereafter we denote the rows of Am as ai, a2, . . . , am. 

Some Properties of Am'- 

1. The j-th column of Am, when read downwards with its entries considered 
as integers, contains the radix-two representation of the integer 2™ — j for 
j = l,2 ,..., 2-. 

2. The z**' row a^ of Am, when treated as the function table of a binary- valued 
function of m binary variables in the manner that the entry in the j**' col- 
umn is the value of the function /(xi, X2, . . . , Xm) when xi, X2, . . . , Xm con- 
sidered as integers is the radix-two representation of the integer 2’" — j, 
corresponds to the function /(xi, X2, . . . , Xm) = Xi for z = 1, 2, . . . , m and 
j = l,2,...,2™. 

3. Cyclic shifting the rows of Am in any way (z.e., allowing different numbers 
of shifts for each row) is equivalent to a permutation of the columns of Am- 
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4. Every m x 2™ binary matrix whose columns are all different can be obtained 
from Am by a permutation of the columns. 

3 Reed-Muller Codes 

Following Reed’s notation [2] for the Reed-Muller codes, we use juxtaposition 
of row vectors to denote their term-by-term product, which we will refer to as 
the Hadamard product of these row vectors. For instance, for m = 3, aia 3 = 
[lOlOOOOO] and aia 2 aa = [lOOOOOOO]. We also write ag to denote the 
all-one row vector of length 2’”. 

Let RM(m, ^), where 1 < ^ < m, denote the /x*^-order Reed-Muller code of 
length n = 2’”. RM(m,/i) can be defined as the linear binary code for which 
the matrix G^, which has as rows ag, ai, ... a^, together with all Hadamard 
products of ai, a 2 , . . . a„ taken /i or fewer at a time, is a generator matrix. For 
instance, the second-order Reed-Muller code RM(3,2) has the generator matrix 

■ ao 1 [1 1 1 1 1 1 1 1' 

ai 1 1 1 1 0 0 0 0 

aa 110 0 110 0 

= aa = 10 10 10 10 . 

aiaa 1 1 0 0 0 0 0 0 

aiag 1 0 1 0 0 0 0 0 

aaagj [l 0 0 0 1 0 0 0_ 

It is also convenient to define the 0‘*'-order Reed-Muller code RM(m, 0) as the 
binary linear code with generator matrix G„ = [ao]. For instance for to = 3, 

G^ = [1 1 1 1 1 1 1 1] . 

The following proposition is a direct consequence of Properties 3 and 4 of 
the matrix M^. 

Proposition 1. The Reed-Muller code RM(m,fi) of length n = 2’", where 0 < 
fi < m, has dimension k = X]f=o (T) minimum distance d = 2’"“^. More- 
over, its dual code is the Reed-Muller code RM(m,m — 1 — ji). 

4 Measuring Nonlinearity 

It is often the case in cryptography that one wishes to find a binary-valued func- 
tion f{x\,X 2 , • . • , Xm) of TO binary variables that is “highly nonlinear” . Rueppel 
[5] showed that the Reed-Muller codes can be used to measure the amount of 
nonlinearity in a very natural way. His approach is based on the following propo- 
sition, which is an immediate consequence of Property 2 of the matrix and 
of the facts that 




and that ap is the function table of the constant function 1. 




4 



J.L. Massey 



Proposition 2. The codewords in the first-order Reed-Muller code of length 2™, 
RM(m,l), correspond to the function tables of all linear and affne functions 
of m binary variables when the entry in the position is considered as the 
value of the function f{xi,X2, ■ • • , Xm) where X\,X2, • ■ • , Xm give the radix-two 
representation of the integer 2™ — j for j = 1, 2 , . . . , 2’”. 

Rueppel, cf. pp. 127-129 in [5], exploited the content of Proposition 2 to assert 
that the best linear or affine approximation to a binary function f{x\ ,X2,---, Xm) 
with function table y = [yi y2 ■ ■ ■ 2/2™ ] has as its function table the codeword in 
RM(m, 1) closest (in the Hamming metric) to y. If e is the number of errors in 
this best approximation, i.e., the Hamming distance from this closest codeword 
to y, then e/2™ is the error rate of this best linear or affine approximation to 
f{xi,X2, ■ . .,Xm)- 

Sometimes in cryptography one knows only that the function to be approx- 
imated is one of a set of t functions. In this case, Rueppel suggested taking 
the best linear or affine approximation to be the function corresponding to the 
codeword in RM(m, 1) at the smallest average Hamming distance to the func- 
tion tables yi, y2, . . . , yt and to use the smallness of the average error rate as the 
measure of goodness. As an example of this method, Rueppel showed that the 
best linear or affine approximation to the most significant input bit of “S-box” 
S5 of the Data Encryption Standard (DES) [6] from the four different output 
functions f{xi,X2, ■ ■ ■ , xie) determined by the two “control bits” for this S-Box 
is the affine function l-\- x\-\- X2~\- X3~\- x^ and has an error rate of only 12/64 or 
18.8%. It is hardly surprising that, seven years later, Matsui [7] built his “linear 
cryptanalysis” attack against DES on this “linear weakness” in S-box S5. 

5 Easily Decodable Constant- Weight Cyclic Codes 

There are many ways to combine binary vectors to obtain another binary vector 
in addition to summing and to taking their Hadamard product. One of the most 
interesting ways when the number of vectors is odd is by majority combining in 
each bit position. For instance, majority combining of the three rows in 



ai 




'1 1 1 1 0 0 0 O' 




= 


11001100 


.*^ 3 . 




10101010 



gives the row vector 

V3 = [1 1 1 0 1 0 0 0] . 

The sequence obtained by majority combining the rows of was in- 
troduced by Stiffler [8] as one period of a periodic “ranging sequence” with the 
property that, when corrupted by additive noise, it could be synchronized by 
serial processing with a single correlator much faster than could any previously 
proposed ranging sequence of the same period. We adopt a coding viewpoint 
here and, for odd m at least 3, take and its 2™ — 1 cyclic shifts to be the 
codewords in a binary cyclic constant -weight code, which we denote by Sm and 
call a Stiffler code. 
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Proposition 3. For every odd m at least 3, the Stiffter code Sm is a cyclic 
constant-weight binary code with length n = 2™ having n codewords of weight 
w = 2™“^ and minimum distance d = ■ 

For instance, the n = 8 codewords 

[1110100 0], [0111010 0],[00111010],[0001110l], 

[1000111 0], [01000111], [10100011], [11010001] 

in S 3 have weight w = 4 and are easily checked to have minimum distance 
d = 2(^) =4. Because the codewords in Sm form a single cyclic equivalence 
class, the code has a well-defined distance distribution. The distance distribution 
for S 3 is Hq = 1) D 4 = 5 and Dq = 2 where Di is the number of codewords at 
distance i from a fixed codeword. 

Before proving Proposition 3, it behooves us to say why the Stiffler codes are 
interesting. From a distance viewpoint, they are certainly much inferior to the 
first-order Reed-Muller code RM(m, 1) which have n = 2™, dimension k = m-\-l 
(and thus 2n codewords), and minimum distance d = 2™“^. The saving grace 
of the Stiffler codes is that they can be decoded up to their minimum distance 
much more simply than even the first-order Reed-Muller codes. 

To prove Proposition 3, we first note that row ai of Am affects the major- 
ity combining that produces only in those ‘^{(^,r^i)/ 2 ) columns where the 
remaining m — 1 rows of Am contain an equal number of zeroes and ones. Com- 
plementing row ai of Am and then majority combining with the remaining rows 
would thus produce a new row vector at distance from Vm-but this 

complementing of the first row of Am without changing the remaining rows is 
equivalent to cyclic shifting all rows of Am by 2™~^ positions so that this new 
row vector is the cyclic shift of by 2™“^ positions and is thus also a codeword 
in Sm- It follows that the minimum distance of Sm cannot exceed 

We complete the proof of Proposition 3 by showing that the following decod- 
ing algorithm for Sm corrects all patterns of {^^Siy 2 ) ~ 1 or fewer errors and 

either corrects or detects every pattern of ((^ 1 (^/ 2 ) errors, which implies that 
the minimum distance cannot be less than 2 (j-^l(]^ 2 )- We first note, however, 
that every row of Am, say row a^, agrees with Vm in exactly 2"*“^ -I- 
positions, i.e., in all 2 (^^fj]^ 2 ) positions where affects the majority com- 
bining and in exactly half of the remaining 2™ — 2(^^“]^2) positions. We 
note also that by the decimation by 2 of a, vector of even length, say r = 
[ri T 2 T 3 T 4 . . . r 2 L-i T 2 l], is meant the vector [n rs . . . r 2 L-i V 2 r^ . . . V 2 l] 
whose two subvectors [ri r 3 . . . r 2 L-i ] and [r 2 T 4 ... T 2 l ] are called the phases 
of this decimation by 2 of r. 
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Decoding algorithm for Sm,: 

Let r = [ri r 2 . . . r 2 ^ ] be the binary received vector. 

Step 0: Set i = m and f = r. 

Step 1: If the Hamming distance from = [IOIO...IO] tofis less than 
nj2 = 2™“^ or greater than nj2 = 2™“^, set 8 i to 0 or 1, respectively. If this 
distance is equal to n /2 = 2 ’”“^, announce a detected error and stop. 

Step 2: If i = 1, stop and announce the decoding decision as the right cyclic shift 
of Vm by S = + 522 ™“^ + . . . + Sm positions. 

Step 3: If 5i = 1, shift f cyclically left by one position. 

Step 4-: Replace f by its decimation by 2, decrease z by 1, then return to Step 1. 
Example of Decoding for S 3 : 

Suppose that r = [llOOOlll] is the received vector. 

We begin by setting i = 3 and f = [llOOOlll]. 

Because the Hamming distance from as = [l 0 1 0 1 0 1 O] to f is 5, which 
exceeds n/2 = 4, we set (I 3 = 1 and then shift f cyclically to the left by one 
position to obtain f= [lOOOllll]. We then decimate f by 2 to obtain 
f = [ 10110011 ], after which we decrease i to 2. 

Because the Hamming distance from as to f is 3, which is less than n/2 = 4, 
we set ^2 = 0. We then decimate f by 2 to obtain f = [llOlOlOl], after 
which we decrease z to 1 . 

Because the Hamming distance from as to f is 7, which exceeds n/2 = 4, we 
set (5i = 1 . 

We now announce the decoding decision as the right shift of by (5 = 
4(5i + 282 + (5s = 5 positions, z.e., as the codeword [OlOOOlll], which we 
note is at Hamming distance 1 from the received word so that we have corrected 
an apparent single error. 

To justify this decoding algorithm, which is an adaptation to the decoding prob- 
lem for Sm of the algorithm given by Stiffler [ 8 ] for synchronization of the periodic 
ranging sequence with pattern within one period, we argue as follows: 

Suppose that the transmitted codeword is the right cyclic shift of by an 
even number of bit positions. Because is unchanged by a right cyclic shift by 
an even number of bit positions, a„ will agree with the transmitted codeword in 
the same number of bit positions as it agrees with v^, z-e., in 2™“^ -I- 
bit positions. Thus, if ~ 1 or fewer errors occur, a^ will agree with 

the transmitted codeword in more than n /2 = 2 *”“^ positions-and in at least 
n/2 = 2™“^ positions if exactly errors occur. Suppose conversely that 

the transmitted codeword is the right cyclic shift of by an odd number of 
bit positions. Because a^ is complemented by a right cyclic shift by an odd 
number of bit positions, a^ will disagree with the transmitted codeword in the 
same number of bit positions as it agrees with v^, z.e., in 2™“^ -I- 

bit positions. Thus, if ((^f[)/ 2 ) ~ 1 or fewer errors occur, a^ will disagree with 
the transmitted codeword in more than n /2 = 2 *”“^ positions-and in at least 
n/2 = 2™“^ positions if exactly errors occur. It follows that the value 




The Ubiquity of Reed-Muller Codes 



7 



of 6 m produced by the decoding algorithm in Step 1 will be 0 or 1 according as 
the transmitted codeword is the right cyclic shift of by an even or odd number 
of bit positions, respectively, when either ~ 1 or fewer errors occur or 

when exactly errors occur but a detected error is not announced before 

6 m has been determined by the decoding algorithm. 

Suppose we correctly find in Step 1 that 6 m = 0, i.e., that the transmitted 
codeword is the right cyclic shift of by an even number of bit positions, say 
by (5 = 2j positions. We note that shifting each row of Am cyclically rightwards 
by i5 = 2 j positions then decimating by 2 each of the resulting rows gives exactly 
the same result as first decimating by 2 each row of Am then shifting each of 
the resulting rows cyclically rightwards by 6/2 = j positions. Moreover, the 
row SLm-i is converted in this manner to the row a^. It follows that if we 
first decimate the received word by 2, then we can determine the parity 6 m-i 
of 6/2 = j by using exactly the same procedure that was used to determine 
the parity dm of i5 = 2j. Conversely, suppose we correctly find in Step 1 that 
6 m = 1) be., that the transmitted codeword is the right cyclic shift of Vm by 
an odd number of bit positions, say d = 2j + 1 positions. In this case we can 
perform a left cyclic shift of the received word by 1 position to arrive again at 
the case where the transmitted codeword is the right cyclic shift of by an 
even number d — 1 = 2 j of bit positions. This is the purpose of Step 3 of the 
decoding algorithm. 

It follows from the above that the decoding algorithm will correctly decide 
6 m — 1 when either {(^,,///_iy 2 } ~ 1 or fewer errors occur or exactly {(rr-i)/ 2 ) errors 
occur but a detected error is not announced before 6m-i has been determined 
by the decoding algorithm. A simple induction establishes that this is also true 
for the decisions on 6 m- 2 , dm- 3 , ■ • di and hence that the received word will 
always be correctly decoded when either ~ 1 or fewer errors occur or 

when exactly errors occur but a detected error is not announced. 

Note that the above decoding algorithm for the Stifller code Sm requires 
the operation of comparing the distance between two binary words to the fixed 
“threshold” n /2 to be performed only m times, which is the least number possible 
to determine the codeword in a code with 2™ codewords. Note also that this 
decoding algorithm also corrects many error patterns of weight greater than half 
the minimum distance of the code. 

We remark that one can also define Stiffler codes of length n = 2™, m even, 
by choosing the sequence Vm as the result of majority combining of the m + 1 
rows of the generator matrix of the first-order Reed-Muller code. Most of the 
above discussion goes through virtually unchanged for these codes-the details 
are left to the reader. 

6 Cyclic Reed-Muller Codes 

The Reed-Muller codes are not cyclic, nor are they equivalent to cyclic codes. 
However, if the last digit is removed from each codeword, they become equiv- 
alent to cyclic codes as was first noted by Kasami, Lin and Peterson [9] and 
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by Goethals and Delsarte [10]. We follow here the approach of [9] to the cyclic 
Reed-Muller codes. 

A binary maximum-length sequence of length 2™ — 1 can be defined as the first 
period of the output sequence produced by an m-stage binary linear-feedback 
shift register as in Fig. 1, whose feedback polynomial h{X) = 1-1- h\X -|- . . . -|- 
hm-iX'^~^ -\- A"* is a primitive polynomial, when the initial state of the shift 
register is not all zero, cf. §7.4 in [11] . The period has length 2*” — 1, which means 
that every non-zero state occurs exactly once as the maximum-length sequence is 
produced by the m-stage binary linear- feedback shift register. For instance, the 
sequence [lOOlllO] is the binary maximum-length sequence produced by 
the 3-stage LFSR with the primitive feedback polynomial h{X) = 1-1- -|- A^ 

when the initial state is [ 1 0 0 ] . 




Mod-2 adder 




Suppose that b = [6i 62 . . . 62 m_i] is a binary maximum-length sequence. 
If T denotes the left cyclic shift operator, then the matrix 





bi 




b 


Bm = 


b2 


= 


Tb 




byn 







has the property that its 2™ — 1 columns contain every non-zero m-tuple. (Here 
and hereafter we denote the rows of as bi, b2, . . ., b^. We will also write 
bo to denote the all-one row of length 2™ — 1.) For instance with m = 3, the 
maximum-length sequence b = [lOOlllO] specifies the matrix 





bi 




'1 0 0 1 1 1 O' 


Ba = 


b2 




0011101 




ba 




0111010 
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The row space of the matrix is a cyclic code as follows from the fact that 
any linear combination of its rows is equal to the first 2™ — 1 output digits from 
the linear-feedback shift register when the first m digits of the linear combination 
are used as the initial state. Thus the result is either some cyclic shift of b or 
(for the trivial linear combination of rows) the all-zero sequence. 

It follows from Property 4 of the matrix Am that the matrix B™ is just 
a column permutation of Am when the last column of Am {i.e., the all-zero 
column) is removed before permuting. It follows that the matrix which has 
as rows bo, bi, . . . b^ together with all Hadamard products of bi, b2, . . . , 
hm taken fj, or fewer at a time, is a generator matrix for a linear binary code 
equivalent to the the ^‘*'-order Reed-Muller code RM(m, fi) with the last digit of 
each codeword removed. Moreover, the code generated by is cyclic. This can 
be seen by noting that the left cyclic shift of each codeword is contained in the 
linear code generated by the matrix whose rows are Tbo = bg, Tbi, . . ., Tb^ 
together with all Hadamard products of Tbi, Tb2, . . . , Tb^ taken yi or fewer at 
a time. But Tbi, . . ., Tb^ are all codewords in the code generated by G!^ since 
they are in the row space of its submatrix B^. Moreover, rbiTb2 = T(bib2), 
TbiTb2Tb3 = T(bib2b3), etc. up to Hadamard products of order /r. It follows 
that T(bib2), T(bib2b3), etc. up to Hadamard products of order fi, are al so 
codewords in the code generated by G()^. Hence the code generated by G()^ is 
indeed cyclic. This code will be called the /i‘*'-order cyclic Reed-Muller code of 
length n = 2™ — 1. 

The above description of the cyclic Reed-Muller codes suggests that one can 
build an “unconventional” encoder for these codes as we now describe. Every 
codeword in the /i‘*'-order cyclic Reed-Muller code of length n = 2™ — 1 can be 
written as 

Mobo + Uibi -I- ... -I- Mmbm -|- Wl,2blb2 — l,mbyn— ibm 

-t- . . . -f Um—^+l.m—^+2^...^rn\^m—ii+l^m—^+2 • • • b^ 

and hence uo, wi, . . . , Um^ ^1,2, ■ ■ ■ , i,m, ■ ■ ■ , can be 

taken as the k information bits of the cyclic Reed-Muller code. We next note that 
the sequence seen in the leftmost stage of the linear-feedback shift register that 
generates the maximal- length sequence b is just the sequence bi = b. Moreover, 
b2 = Th is the sequence seen in the second stage of this register, etc. It follows 
that one can determine the codeword corresponding to a particular choice of 
the information bits just by applying the logical circuitry that creates and adds 
the necessary Hadamard products of the contents of the various stages of this 
linear-feedback shift register. Fig. 2 shows the logic corresponding to the choice 
uq = 1 , ui = 1, U 2 = U 3 = 0, mi ^2 = Ml, 3 = 0, M2, 3 = 1 of the information bits 
in the second-order cyclic Reed-Muller code of length n = 7 whose underlying 
maximal-length sequence b = [lOOl llO] is generated by the linear- feedback 
shift register in Fig. 2 when its initial state is [ 1 0 O] . The AND gate produces 
the Hadamard product of the sequences b2 and b3. The constant 1 input to the 
mod-2 adder is equivalent to having the all-one sequence bg at this input to the 
adder. The resulting codeword isbg-fbi-|-b 2 b 3 = [OlOlOOl]. 
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Fig. 2. An unconventional encoder for the 2nd order cyclic Reed-Muller Code of 
length n = 7, illustrated for the choice of information bits uo = 1, rti = 1, U 2 = Ms = 0, 
ui ,2 = Ml, 3 = 0, U 2,3 = 1- The resnlting codeword is bo + bi + b 2 b 3 = [0101001]. 
(The contents shown are the initial state of the register). 



7 Nonlinearly Filtered Maximal-Length Shift Registers 

In an additive binary stream cipher, a “running key” is added modulo-2 to the 
plaintext sequence to produce the ciphertext sequence. The running key is deter- 
mined by the secret key in a manner that the future of the running key should be 
difficult to predict by an attacker who has observed some past segment of it. A 
structure often used to generate the “running-key” in an additive stream cipher 
is what Rueppel [5] has called a nonlinearly filtered maximal-length shift register. 
In this structure, the initial state of a maximal-length shift register (i.e., a linear- 
feedback shift register with a primitive feedback polynomial) is determined in 
some manner by the secret key. The running key is the sequence produced by 
a fixed nonlinear binary function applied to the stages of this maximal-length 
linear-feedback shift register. This binary function is usually 

characterized by its algebraic normal form, namely by its expression in the form 

f{xi,X2 , . . . , Xfn )=Uq U\Xi -I- ... -I- Ui^2X\X2 -I- ... -I- 'W'm— 

H” • • • H” /T+l^m— ^+2 • • • 

where uq, ui, , Um, mi. 2 , , Um-i.m, are binary 

coefficients uniquely determined by the function. The function f{x\,X 2 , ■ • ■ ,Xm) 
is said to have nonlinear order /r if /i is the maximum number of variables 
appearing in a product with a nonzero coefficient in its algebraic normal form. 
For instance, f{x\,X 2 , • . . , xfj = 1 -I- -I- X 2 X^ has nonlinear order 2. 

The above formulation of nonlinearly filtered maximal-length shift registers 
makes the following characterization immediate. 
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Proposition 4. The running key produced by a nonlinearly filtered m-stage 
maximal-length shift register in which the filtering logic has nonlinear order p, is 
the periodic repetition of a codeword in the pf'^-order cyclic Reed-Muller Code of 
length n = 2™ — 1 whose underlying maximal-length sequence b is generated by 
this maximal-length shift register. 

An important measure of the cryptographic quality of a running key is its 
linear complexity, i.e., the number of stages in the shortest linear- feedback shift 
register (cf. Fig. 1) that for some choice of the initial state can generate the 
sequence as its output. But it is well known (cf. §8.7 in [11]) that every code- 
word (as well as its periodic repetition) in a cyclic code of dimension k can 
be generated by a /c-stage linear-feedback shift register as in Fig. 1 where the 
feedback polynomial is the so-called parity-check polynomial of the cyclic code; 
moreover, the periodic repetitions of some codewords cannot be generated by 
a shorter linear-feedback shift register. Proposition 4 thus implies the follow- 
ing upper bound on the linear complexity of the running key produced by a 
nonlinearly filtered m-stage maximal- length shift register. 

Corollary 1. The linear complexity of the running key produced by a nonlin- 
early filtered m-stage maximal-length shift register in which the filtering logic has 
nonlinear order p is at most (T) ■ Equality holds for some choices of the 

nonlinear-order-p filtering logic. 

The bound of Corollary 1 is essentially the bound on linear complexity proved 
by Key [12]. However, Key required mq = 0 in the algebraic normal form of his 
filtering function, which implies that the running key will lie in the subcode of 
the /i*^-order cyclic Reed-Muller Code generated by the matrix obtained from 
G((j by removing the all-one row bg. This subcode has dimension one less than 
does the parent code and hence Key’s bound on the linear complexity of the 
running key is (T)- 

8 Concluding Remarks 

We have only touched on a very few of the many places in which the Reed-Muller 
codes can be shown to underlie an algebraic problem in coding or cryptography. 
One can easily give many more such examples. For instance, one can show that 
Meier and Staffelbach’s iterative algorithm for attacking an additive stream ci- 
pher [13] is an adaptation of Reed’s majority-logic decoding algorithm [2] applied 
to the first-order cyclic Reed-Muller codes. The construction used to obtain the 
Stiffler codection 5 can be applied to the ranging sequences recently proposed 
[14] as an improvement for long periods on the Stiffler ranging sequences to ob- 
tain a new class of cyclic const ant- weight codes that are even simpler to decode 
than the Stiffler codes. We will not go into these and other examples here, but 
we do wish to encourage the reader to be on the alert for exploiting the Reed- 
Muller codes whenever he or she investigates an algebraic problem in coding or 
cryptography. 
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Abstract. Self-dual codes over GF{2), GF{S) and ^^(4) were classified 
from the early 70’s until the early 80’s. A method for how to do this and 
efficient descriptions of the codes were developed [3, 4, 17, 20, 21]. New 
results related to the binary classifications have recently appeared. New 
formats and classifications have also recently occurred. These events, 
their relations to the old classifications and open problems will be given. 



1 Basics 

An [n, k, d\ code over Fq, for q a prime power, is a A: dimensional subspace of 
Fq. The weight of a vector is the number of non-zero components it has. The 
smallest non-zero weight of a code, called the minimum weight and denoted by d, 
if known, is the third parameter in the description of a code. For error-correcting 
and design purposes, the larger d is the better the code is. 

A basis of a code C is called a generator matrix. If a: = (a;i, . . . ,Xn) and 

n 

y = (j/i, . . . , y„), the inner product of x and y, x ■ y = Xiyi. If C is an [n, k] 

i—1 

code, the set of all vectors orthogonal to C, with respect to this inner product, 
is an [n,n — k] code, C-^, called the dual of C. C is called self-orthogonal, s.o., 
if C C C-^. li C = C-^, C is self-dual, s.d. If the field is F 4 , the Hermitian inner 

n 

product, X ■ y = ^iVi is used. If C is a s.o. binary code, every vector has 

■i—1 

even weight as it must be orthogonal to itself. Some s.o. binary codes have all 
weights divisible by 4. Similarly the weight of a s.o. vector over GF{3) is divisible 
by 3. It can be shown that vectors in a Hermitian s.o. F 4 code also have even 
weight. We call a code divisible if the weight of every vector is divisible by a fixed 
integer Z\ > 1. The Gleason-Pierce-Ward Theorem states that divisible [n,n/2] 
codes exist only for the values of q and A mentioned above, except in one other 
trivial situation, and that the codes are always self-dual except possibly when 
q = A = 2. Many combinatorially interesting self-dual codes with high minimum 
weights have been found. 

Two binary codes are equivalent if one can be gotten from the other by a 
permutation of coordinate indices. One also allows multiplication of coordinates 
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by a fixed constant in a non-binary field. When codes of a fixed length are 
classified, they are classified up to equivalence. If a code is the only code with 
certain parameters [n, k, d] up to equivalence, then the code is called unique. 

The weight distribution of a code is the number of vectors of any fixed weight 
in the code. It is well known that the weight distribution of a code is related 
to the weight distribution of its dual code [18]. When C is self-dual, this gives 
greater constraints on the possible weight distribution of a self-dual code. In 
particular bounds on the highest minimum weight are available. When a weight 
distribution is expressed as a polynomial, in two variables, it is called a weight 
enumerator. The weight enumerators of self-dual codes over F 2 , T3 and F 4 are 
combinations of weight enumerators of self-dual codes of small length called the 
Gleason polynomials. 

As we saw, all vectors in a binary s.d. code have even weights. The binary 
s.o. codes where all the weights are divisible by 4 are called doubly-even, d.e., or 
Type II if they are self-dual. A s.d. code where it is not necessarily so that all 
weights are divisible by 4 is of Type I. If a binary code has all weights divisible 
by 4 it must be s.o. If it contains only even weight vectors, hence called even, it 
need not be s.o. 

A famous example of a Type II code is the [8,4,4] Hamming code FI whose 
generator matrix G{H) follows 



G{H) 



/I 1 1 1 0 0 0 0\ 
11001100 
11000011 
\1 0 1 0 1 0 1 0 / 



This is the unique [8,4,4] binary code. The weight enumerator of a code can 
be written as a homogeneous polynomial in two variables. For iJ this is cc® -I- 
14x^y^-|-a:®. This says that FI contains 1 vector of weight 0, 14 vectors of weight 
4 and 1 vector of weight 8. The Gleason polynomials for Type II codes are 
the weight enumerator of FI and the weight enumerator of the unique [24, 12, 8] 
Golay code; y"^^ + -I- 2576a;^^j/^^ -I- 759x^®?/® -I- [18]. Glearly the 

length n of any Type II code is divisible by 8. The Gleason polynomials for 
Type I codes are the weight enumerator of the Hamming [8, 4, 4] code and the 
weight enumerator of the unique [2, 1,2] code; y^ + x^. This is the only case 
where the weight enumerator of a code which is not s.d. can be a combination 
of Gleason polynomials. Such a code is an even [n,n/2] code C where C has 
the same weight enumerator as its dual code C-*-. These codes are called even 
formally self-dual, f.s.d. 

Gonsider the codes Ci and C 2 with generator matrices Gi and G 2 . 

/I 1 0 0 0 0\ /I 1 0 0 0 0\ 

Gi = 001100 G 2 =101000 

\0 0 0 0 1 1 / \1 1 1 1 1 1 / 

Cl is s.d., C 2 is f.s.d. The weight enumerator of both is = y^ -\-3x‘^y‘^ -\- 

ix'^y'^ X®. Glearly these codes are not equivalent. 
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If C an [ni,ki,di] code, and C an [n 2 ,A: 2 ,(i 2 ] code, have generator matrices 



G and G' , the direct sum of G and C' has generator matrix 



G 0 
0 G' 



and is an 



[ni -|-n 2 , k\ + ^ 2 , min(c?i, ^ 2 )] code. The code G\ in the example above is a direct 
sum of three copies of the [2,1,2] code. A code which is not a direct sum is called 
indecomposable. The direct sum of a code G with itself n times is denoted by 



nG. 



2 Binary Self-dual Codes 

From the “combinations” of Gleason polynomials one can determine bounds on 
the minimum weights d of Type I (or even f.s.d.) codes and Type II codes of 
length n 

Type I bound: d= 2[fJ -f 2 
Type II bound: d = 4[^\ + 4. 

A code whose minimum weight meets these bounds is called extremal. An 
extremal code has a unique weight enumerator even though the code need not 
be unique. Some of these unique weight enumerators have a negative coefficient, 
hence there can be no extremal codes when this occurs. Many authors have 
investigated this and for this reason, extremal Type I codes cannot exist for 
n = 32, 40, 42, 48, 50, 52 and n = 56. Other reasons [8] show that extremal Type 
I or even f.s.d. codes can only exist for n = 30, n yf 16, n yf 26. It can be seen from 
the classifications [8] of binary s.d. codes and divisibility conditions [25], that the 
only s.d. codes meeting the Type I bound are of lengths n = 2, 4, 6, 8, 12, 14, 22 
and 24. For n = 8 and 24 the codes are Type II, the unique Hamming and Golay 
codes. There are also even f.s.d. extremal codes of lengths n = 10, 18, 20, 28 and 
30 [1, 9, 10, 15]. A [10, 5, 4] code is unique if you assume the all one vector is in it. 
An [18, 9, 6] code is unique [24]. The weight enumerators for all Type II extremal 
codes have a negative coefficient for n > 3928 and some do for various values of 
n = 3696. For n divisible by 24 extremal codes are known to exist at lengths 24 
and 48. It is an open problem whether the length 48 code is unique and whether 
there are any extremal codes at lengths 72 and 96 [18]. Extremal Type II codes 
exist at lengths 8, 16, 24, 32, 40, 48, 56, 64, 80, 88, 104, 136 [3,5,14,17,20,23] 
and maybe at other lengths. 

A t — {v, k, A) design is a set of v points and a set of blocks of these points 
of size k such that every t points is contained in exactly A blocks. The larger t 
is and the smaller A is, the more interesting is the design, particularly if A = 1. 

It is quite surprising that, on occasion, the set of all vectors of a fixed weight 
in a code form the blocks of some t-design. When this happens we say the vectors 
“hold” the design. This happens for extremal codes. It is known [18] that the 
vectors of any fixed weight in a Type II extremal code “hold” a 5-design if 
n = 24r, a 3-design if n = 24r -|- 8, and a 1-design if n = 24r -I- 16. Thus 
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the vectors of weight 4 in the Hamming code form a 3-(8,4,l) design and the 
vectors of weight 8 in the Golay code form the well-known 5-(24,8,l) design. It 
is interesting that in both the lengths 10 and 18 even f.s.d. codes, the union of 
vectors of a fixed weight in the code and their duals “hold” 3-designs [15]. 

If C is a Type I s.d. code, then the set of d.e. vectors in C forms a subcode, 
Co, of codimension 1. From the weight distribution of C, the weight distribution 
of Co can be easily determined, hence the weight distribution of C^. Using this 
and linear programming. Rains [22] was able to show that there is something 
wrong with the weight distribution of Type I extremal codes of length > 24 and 
that such codes of length n yf 22(mod 24) must meet the Type II bound. 

The following is the new bound for binary self-dual codes. 

Theorem 1. Let C he an [n,n/2, d] binary self-dual code. 

Then d = -I- 4 if n yf 22 (mod 24). 

If n = 22 (mod 24), then d = 4[^J-|-6. 

Further if C is an extremal code of length n = 22(mod 24), then C is a 
“child” of an extremal Type II code C of length n 2. That is C consists of 
all vectors in C with either 11 or 00 in 2 fixed positions with those positions 
removed. 

If C is an extremal code of length divisible by 24, then C is Type II. 

The last statement is not true for other lengths n; for example there are Type 
I [32,16,8] codes [5]. The above argument does not hold for even f.s.d. codes. 
Hence these codes satisfy the following weak Type I bound 



d=2 




if n = 32. 



A much better bound is needed. Another open question is whether there can 
be a f.s.d. code of length 24r which satisfies the Type II bound. There are even 
f.s.d. [32,16,8] codes [8]. 

The classification of self-dual codes began in the seventies [17]. The method 
used in the beginning remained essentially the same throughout the succeeding 
classifications. The classification proceeds from smaller n to larger n and codes 
are classified up to equivalence. The process begins with the formula for the 
number of self-dual codes of length n of the type one is trying to classify. The 
formulas for the numbers of ternary and quaternary self-dual codes are related 
to the number of totally isotropic subspaces in a finite geometry and are demon- 
strated in [16] as are the number of Type I binary codes. The number of Type 
II binary codes are in [23]. 

n/2-l 

The number of self-dual binary codes of even length n is n (2* + i). 

i=l 

n/2-2 

If 8 divides n, the number of Type II binary codes is n (2* + i). 

2 = 0 
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The group of a binary code C is the set of all coordinate permutations sending 
the code onto itself. The group of the Hamming code has order 1,344. If C has 
length n, then the number of codes equivalent to C is where |l/(C')| is the 

order of G{C) the group of C. Hence to classify self-dual codes of length n, it is 
necessary to find inequivalent s.d. codes Ci, . . . ,Cr so that 

y =N 

the number of self-dual codes of length n. This is called the mass-formula. Note 
that = 30, the number of Type II codes, so the Hamming code is the only 
d.e. code of length 8. 

Direct sums can be found directly, indecomposable codes are harder. Some of 
these can be constructed by “glueing” shorter indecomposable s.o. component 
codes together. This is a process of taking a direct sum of component codes 
and adjoining even weight, s.o. vectors consisting of portions in the duals of the 
component codes. This is called the “glue” space. Often the component codes 
have minimum weight 4 and then one wants no additional weight 4’s in the 
glue space and also to have it large enough to get, together with the component 
codes, a self-dual code. The resulting code is then labeled by the labels of the 
component codes. Let dg be the [6, 2, 4] code with the following generator matrix 

(l lOOll)’ ^^ 2 ™ is a [2m, m — 1,4] code. Thus 4 dg is the label of 

a [24,12,4] Type I code. The component codes have dimension 8 and the “glue” 
space has dimension 4. Some components have minimum weight greater than 
4 [20]. 

The Type II codes have been classified until length 32 [3] where it was found 
that there are exactly 5 inequivalent extremal [32,16,8] d.e. codes. From this 
classification, it is possible to determine the number of inequivalent Type I codes 
of lengths 26 through 30. Both the Type I and Type II codes of lengths 24 and 
less were previously classified [17,20]. Following are the numbers of inequivalent 
self-dual binary codes. 



length 


2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 


number s.d. 


1 1 1 2 2 3 4 7 9 16 25 55 103 261 731 



length 


8 16 24 32 


number of Type II 


1 2 9 85 



It can be shown [3] that there are more than 17,000 inequivalent Type II codes 
of length 40 so the codes of this and larger lengths are too numerous to classify. 

The ternary s.d. codes were classified until length 20 [21] and the F 4 codes 
until length 16 [4]. The methods were similar to the binary methods. 

Actually the extremal codes are the ones of interest. Many have been found 
but it is difficult to determine all the inequivalent ones of any given length. 
Much work has been done on length 48. It is also interesting to find optimal 
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self-dual codes, that is s.d. or f.s.d. codes of the largest minimum weight which 
can exist for a specific length n where extremal codes cannot exist. The weight 
distribution of an optimal code need not be unique. 

Extremal F4 codes exist at lengths 2,4,6,8,10,14,16,18,20,28 and 30. They 
do not exist for n = 12,24,102,108,114,120,122 and all n = 126 (because 
of negative coefficients in their weight enumerators). The other lengths n = 
26, 32, . . . are as yet undecided [23]. 



3 Even Formally Self-dual 

There is no mass formula for even, f.s.d. codes as the number of such codes of 
a fixed length is not known. However the extremal f.s.d. codes were classified 
until length 20[1, 9, 10, 15]. For n = 28, a f.s.d. code is unique as a [28, 14, 8] code 
is unique. A table of these, optimal f.s.d., and extremal and optimal s.d. codes 
until length 48 are in [8]. The extremal f.s.d. codes of lengths 10, 18, 20, 28 
have higher minimum weights then the extremal or optimal s.d. codes of those 
lengths. It is not known whether there is a f.s.d. (or any) [40,20, 10] code. If so, 
it would have higher minimum weight than the extremal [40, 20, 8] Type II code. 
Optimal f.s.d. codes of lengths 34, 42 and 44 have higher minimum weights than 
the optimal Type I codes of those lengths. 

The tool used to classify the extremal f.s.d. codes of lengths 10 and 18 were 
the 3-design property they had [15]. At lengths 14, 20 and 22, [9, 10] the main 
tool used was the following Balance Principle. Even though this has a simpler 
analogue for s.d. codes, it was not used as codes of these lengths were completely 
classified. Let {x} denote the code with generator matrix X and the dimension 
of {x}. 

Theorem 2. Balance Principle: Let C he a binary code of length ni + U 2 with 
dimC = dimC-*-. Assume A and B (F and J ) generate subcodes of C{C-^) of 
the largest dimension with support under the first n\ and last U 2 coordinates. 
Then 

(AO\ (FO\ 

G{C) = I O B \ and G{C-^) =\OJ , 

\de) \l m j 

a) ko = kE = kr = kM, 

b) {A}-L = {E U L}, {B}^ = {JU M}, {F}^ = {A U D}, { J}-L = {B U E} 
and 

c) ni — 2k A = U 2 — 2kj, n\ — 2kp = U 2 — 2kB- 

Using this theorem, a computer and the desired extremal or optimal minimum 
weight it is possible to find such codes of length = 22. It gets much harder as 
the length increases. 
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4 Additive i ^4 Codes 

Further classes of s.d. codes related to characteristic 2 and concepts of Type 

I and Type II have recently been investigated. These codes, however, are not 
vector spaces over fields. One of these classes are additive F4 codes which are of 
interest because of their relation to quantum computing [2] . We can describe an 
additive code by means of a generator matrix but it should be noted that code 
words are sums of the vectors in this matrix (not scalar multiples). The inner 
product used here, called the trace inner product, is defined on components. 
If the components are equal, it is zero, if unequal and non-zero, it is one. The 
inner product of two vectors is the sum of the inner products of corresponding 
components. If two vectors are orthogonal wrt the Hermitian inner product, 
they are also orthogonal wrt the trace inner product, not conversely. Hence a 
s.d. F4 code gives a s.d. additive code. A code of length n with k generators and 
minimum weight d is denoted as an (n, 2^,d) code. It contains 2^ vectors. An 
F 4 linear [n,k] code is also an additive (n,2^^) code. Its generator matrix as an 
additive code would consist of its generator matrix as an F 4 code and w times 
this matrix. The hexacode is the very interesting unique linear s.d. [6,3,4] code 
with the following generator matrix 

/I 0 0 1 1 1 \ 

G = I OlOlww 1 . 

yOOlluJwy 

As an additive code its generator matrix would consist of G and wG. 

A s.d. additive code can include vectors of odd weight. If so the code is called 
Type I. If all weights are even, the code is Type II. It can be shown that Type 

II codes exist only if n is even. A mass formula holds for these codes as do the 
following bounds on the minimum weights of Type I and Type II codes [13] 

'2[|J -hlifn = 0 (mod 6) 

di = < 2 [|J -I- 3 if n = 5 (mod 6) 

2[|J +2 otherwise 

dn^ 2 [^\+ 2 . 

Again a code that meets the bound is called extremal. Hohn [13] classified 
Type I codes, up to equivalence, until length 7 and Type II codes of length 8. 
There is an interesting unique extremal (12, 2^^, 6) code, the dodecacode [2]. An 
investigation of extremal and optimal additive s.d. codes was extended to length 
16 [12]. This latter used an appropriate variant of the Balance Principle. 

Self-dual additive codes of length n are related to binary self-dual codes of 
length 4n. If C is an additive s.d. code of length n, the map 



p:0 



0000, 1 



0110, w 



1010, w 



1100 
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sends C onto a binary s.o. code p{C) of length An. Let {ndi)o be the [4n, n — 1] 
binary linear code consisting of all code words of weights divisible by 8 from 
the [4n,n] code nd^. If n is even, we can construct the d.e. code pb{C) = 
p{C) + (nd4)o + e where e is the length An vector 

0001 0001 . . . 0001 if n = 0 (mod 4) 
or 0001 0001 ... 1110 if n = 2 (mod 4) ' 

If C is Type I, we can construct a Type I binary code in a similar fashion. The 
construction of pb{C) explains why a Type II additive code must have even 
weight n as Pb{C) of Type II implies that 8 divides 4n. Also this map explains 
the hexacode construction of the Golay code [18]. 

An interesting open question is the existence of a (24, 2^^, 10) additive F4 
Type II code as a [24,12,10] Hermitian self-dual code cannot exist. 



5 Z 4 Codes 



Another interesting family of self-dual codes are the codes over Z4, the integers 
mod 4. Here one can take all linear combinations of a generator matrix. The 
usual inner product is used. Up to equivalence every s.d. Z4 code has a generator 
matrix of the following form 



G = 




{Ik + 2 B) 
2D 



where A,B and D are binary matrices [18]. Further Gi = [A, Ik] generates a 

A Ik 

doubly-even binary code and G2 = [ ^ ] generates G2 = Gj*-. In this situ- 



ation G is said to have type and indeed contains this many codewords. 

The Lee weight of a vector counts 1 and 3 as 1 and 2 as 2. The Euclidean weight 
counts 1 and 3 as 1 and 2 as 4. A s.d. code has Type II if it contains a vector 
equivalent to the all-one vector and all Euclidean weights are divisible by 8. 
It is known that Type II codes can only exist at lengths divisible by 8. Other 
s.d. codes are Type I. 

Conway and Sloane [5] classified the self-dual, Z4 codes until length 9 without 
a mass formula. Gaborit [11] found such a formula for both Type I and Type 
II s.d. codes. Using this we [19] classified the Type II codes of length 16. If 
we take a coordinate position in a Type II code of length n and eliminate all 
codewords with either 0 or 2 in that position, and then remove that position we 
get a s.d. code of length n — 1 called the shortened code. Using shortened codes 
we [7] were able to classify the s.d. Z 4 codes of length 15 or less. A modification 
of the notation for self-orthogonal, d.e. binary codes was useful in both of these 
classifications as such codes were used for the matrix Gi in the canonical form 
described above. This notation then described the s.d. codes of length 16 and 
lower. The notation eg denotes the Hamming [8,4,4] code and / denotes a code 
with no weight 4 vectors. For example, the Type II codes of length 8 have the 
labels 4 — eg, 3 — dg) 2 — 2d^ and 1 — /. They have types 4^, 4^ • 2^, 4^ • 2^ and 
4.2®. 
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Abstract. It is well-known that multiple transmit and receiving antennas can 
significantly improve the performance of wireless networks. The design of good 
modulation schemes for the model of multiple antenna wireless transmission in 
a fast fading environment (e.g., mobile communication) leads to an interesting 
packing problem for unitary matrices. Surprisingly, the latter problem is related 
to certain aspects of finite (and infinite) group theory. In this paper we will give a 
brief survey of some of these connections. 



1 Introduction 

Multiple-antenna wireless communication links promise very high data rates with low 
error probabilities, especially when the channel is known at the receiver [19,5]. The 
channel model adapted in this scenario is that of multiple-input multiple-output Rayleigh 
flat fading channel. In cases where the fading coeflflcients are neither known to the sender 
nor to the receiver (a case particularly interesting for mobile communication), the design 
of modulation schemes for the transmission leads to a non-standard packing problem for 
unitary matrices. Interestingly, some good solutions to the latter problem are intimately 
related to certain questions from the representation theory of finite and Lie groups. This 
paper surveys some of these connections and poses several open questions. 

A unitary space-time code (constellation) S of rate i? is a collection of 2^^ unitary 
M X M-matrices. We will discuss in the next section how these matrices can be used 
for modulation of information in a mobile wireless setting. As it turns out, in such a 
transmission the probability of mistaking a matrix V with a matrix W decreases with 
the quantity 

C(^) := J ^ min |det(A - . (1) 

2 A,BeS,A^B 

This quantity is called the minimum diversity distance of the code S. The code is said 
to hs fully diverse if it has positive minimum diversity distance, i.e., if for all A,B G S 
with Ay^B the eigenvalues of A — B are nonzero. 

These notions lead to an interesting and packing problem: finding large finite subsets 
of unitary matrices that have a large minimum diversity distance. More precisely, let 

A{M,L) :=sup{e | 35 G (7(M),C(5) = e}. (2) 

S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 22-35, 2001. 
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At a fundamental level the determination of lower and upper bounds for A{M, L) is 
complicated by the fact that the diversity distance is not a distance function: given two 
matrices A and B, it is quite possible that det(A — B) is zero while A^ B. 

In this paper we will discuss some upper lower and upper bounds for the function 
A{M, L) forvariousMandL. Upper boundresults are ratherpoor and close to trivial. We 
will give a brief survey on how to relate lower bounds for this function (i.e., construction 
of good space-time codes) to the theory of finite groups. 

The paper is organized as follows. In the next section we will introduce the transmis- 
sion model and provide formulas for the pairwise probability of error of the maximum 
likelihood decoder. In Section 3 we derive some upper and lower bounds for the function 
A(M, L). Section 4 introduces the concept of fixed-point-free groups and reviews some 
basic facts from representation theory. Section 5 discusses space-time codes of positive 
minimum diversity distance that form an abelian group under matrix multiplication, 
while the following section investigates such groups whose order is a power of a prime. 
Section 7 briefly discusses the classification of fixed-point-free groups. The last two 
sections deal with construction of codes from compact Lie groups and construction of 
good codes with zero minimum diversity distance. 

For reasons of space, we have omitted in this note the discussion of decoding algo- 
rithms for space-time codes. For decoding of space-time group codes we refer the reader 
to [4,16]. 



2 Multiple Antenna Space-Time Modulation 

2.1 The Rayleigh Flat Fading Channel 

Consider a communication link with M transmitter antennas and N receiver antennas 
operating in a Rayleigh flat-fading environment. The nth receiver antenna responds 
to the symbol sent on the mth transmitter antenna through statistically independent 
multiplicative complex-Gaussian fading coefficients hmn- The received signal at the nth 
antenna is corrupted at time t by additive complex-Gaussian noise wtn that is statistically 
independent among the receiver antennas and also independent from one symbol to the 
next. We assume that time is discrete, t = 0, 1, — 

It is convenient to group the symbols transmitted over the M antennas in blocks 
of M channel uses. We use t = 0, 1, ... to index these blocks; within the rth block, 
t = tM, . . . , tM + M — 1. The transmitted signal is written as an M x M matrix Sr 
whose mth column contains the symbols transmitted on the mth antenna as a function 
of time; equivalently, the rows contain the symbols transmitted on the M antennas at 
any given time. The fading coefficients hmn are assumed to be constant over these M 
channel uses. 

Similarly, the received signals are organized inM x N matrices Xr- Since we have 
assumed that the fading coefficients are constant within the block of M symbols, the 
action of the channel is given by the simple matrix equation 



Xr = ^SrHr + Wr for T = 0, 1, . . . . 



( 3 ) 
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Here Hr = (hmn) and Wr = {wm) are M x N matrices of independent CJ\f{0, 1)- 
distributed random variables. Because of the power normalization, p is the expected 
SNR at each receiver antenna. 

2.2 Known Channel Modulation 

We first discuss the case where the receiver knows the channel Hr - Typically, this could 
be the case in a fixed wireless environment. We assume that the data to be transmitted is 
a sequence zq, zi,. . . with z,- € {0, . . . , L — 1}. Each transmitted matrix occupies M 
time samples of the channel, implying that transmitting at a rate of R bits per channel 
use requires a constellation S = {5'i,...,S'i} ofL = unitary signal matrices. 

The quality of a constellation S is determined by the probability of error of mistaking 
one symbol of S for another, using the Maximum Likelihood Decoding. In [18,9] it is 
shown that pairwise probability of mistaking A for B in case of a known channel is 
given by 

-| ^ 

P{A,B)<-Y[[l+^al{A-B)] , 

m—1 

where Um(A — B) is the mth singular value of the M x M matrix A — B {in some 
ordering). 

2.3 Differential Modulation 

When the receiver does not know the channel, or when the channel changes rather 
rapidly, one can communicate using multiple-antenna differential modulation [8]. Here, 
we transmit an M x M unitary matrix that is the product of the previously transmitted 
matrix and a unitary data matrix taken from the constellation. In other words, Sr = 
Sr-i for T = 1 , 2 ,..., with So = Im- In [8] the pairwise probability of error under 
the Maximum Likelihood Decoding was shown to satisfy 

1 ^ 

p{Si,se) < - n 

m—1 

At high SNR, the bounds for the known and the unknown channel depend primarily 
on the product of the nonzero singular values of Se — Se>. Let Sing* (A) denote the 
multiset of nonzero singular values of the matrix A, counted with multiplicities. The 
size of Sing* (A) is thus equal to the rank rk(A) of A, if A is a square matrix. Then, for 
high SNR we may write 

Nrk{St-Si/) 

n (4) 

AeSing* (Si — Sg/) 

where a = 4 for the unknown channel case and a = 8 for the known channel case. 

A constellation S is called fully diverse if for any two matrices Si and St the 
difference Si — St has full rank. In other words, S is fully diverse of Q{S) 0. It 
is clear from (4) that for two fully diverse constellations S and S' that have the same 
number of transmit/receive antennas, the upper bound of the pairwise probability of error 
is smaller for the constellation with the larger diversity distance. 



2 \P ) 



1-f 



4(1 + 2p) 



crliSi - St) 
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3 A Packing Problem for Unitary Matrices 

Construction of constellations with large minimum diversity distance resembles at first 
sight the problem of packing points on the sphere, or the problem of constructing good 
error-correcting codes. However, there is a major difference between the first and the 
latter two problems: the latter two problems are concerned with packing points with 
respect to a metric, while the first is not. 

Similar to the theory of error-correcting codes, we define the function A{M, L), 
see 2. Let us first discuss some elementary properties of this function. 

Proposition 1. (1) For all M and L we have 0 < A{M, L) < 1. 

(2) For any K, M, and L we have A{M, L)^ A{K, L)^ < A{M + K, 

(3) A{M,L) < A{2M,L). 

(4) A{1,L)<A{M,L). 

(5) A{M,L) > A{M,L + 1). 

Proof. (1) First, note that for two unitary matrices A and B we have | det(H — B)\ = 

I det(/ — AB*)\ where B* is the Hermitian transpose of B (which is its inverse sine 
B is unitary), and I denotes the identity matrix of appropriate size. So, we need to 
show that 0 < |det(/ — C)\ < 2^ for any M x M-unitary matrix C. Note that 
|det(/ — C)| = n^i 1 1 — Ail, where the Ai are the eigenvalues of C. Since |1-A,| <2, 
the result follows. 

(2) Let S = {S'!, . . . , S'i} and V = {Vi, . . . , Vl} be two space-time codes with 
minimum diversity distances A{M, L) and A{K, L), respectively. The assertion follows 
by considering the code 5 © )2 consisting of the matrices S'i © V) , i = 1 , . . . , L, where for 
two matrices A and B we denote by A (B B the block diagonal matrix obtained from A 
and B. This follows from | det(Hi ©i?i — H 2 © B 2 ) \ = \ det(Ai — A 2 ) det(i?i — i? 2 )| 
for any Hi , H 2 G S and Bi,B 2 G V. 

(3) Follows directly from (2) by setting K = M. 

(4) Follows from (2) by induction. 

(5) Trivial. □ 



Proposition 2. VFe have the following: 

(1) H(M,2) = 1 . 

(2) H(M,3) = 73/2. 

Proof. (1) In view of the previous proposition, we need to show that A{M, 2) > 1. This 
is obvious since for S := {I, —1} we have ({S) = 1. 

(2) This is slightly more complicated than the previous one. (For a similar argument, 
see [12].) First, recall the Frobenius norm | |H| | of a matrix A = (aij) which is defined 
as j P- It is well-known that for a unitary M x M-matrix A this is the same as 
\Pi\^ where the pi are the eigenvalues of A. As a result, ||H|| = M for all unitary 
M X M-matrices A. This shows that the group of unitary M x M-matrices can be 
embedded into the sphere by mapping the matrix A to ^ - j joy p/M. Through 

this mapping the Frobenius norm is mapped to the Euclidean distance on the sphere. By 
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the arithmetic-geometric-mean inequality we know that < ||A||/M.This 

shows that | det{A — < \\A — B\\/M, which implies that | det(A — S)| is upper 

bounded by the distance of A and B on the sphere. Hence, the maximum minimum 
diversity distance of a set of three matrices is upper bounded by (half) the maximum 
minimum distance of a set of three points on the sphere. The latter is a/3/2. This shows 
that A{M, 3) < The proof of the lower bound A{M, 3) > a/ 5/2 follows from 

A{1, 3) = a/3/2 and A{1, 3) < A{M, 3) by Proposition 1(4). □ 

We do not know the exact value of A{M, L) for other small L. Note that even though 
optimal spherical codes of small sizes are known for all dimensions, this may not solve 
our problem, as the embedding of the group U{M) of unitary M x M-matrices into 
g 2 M -1 jg surjective. 

Open Problem 1 Calculate A{M, L) for all M and other small values of L, e.g., L < 
10 . 

Let us now concentrate on the behavior of A{M, L) for small M and all L. For M = 
1, the problem becomes that of packing L points on the one-dimensional circle in the 
two-dimensional plane so that the minimum Euclidean distance between any two points 
is maximal. This is achieved by putting the points on a regular L-gon. The minimum 
distance between two points is equal to 2 sin(7r/L), and so the diversity distance of this 
set equals sin(7r/L). Hence, we have 

H(l, L) = sin(7r/L). 

The case M = 2 is more interesting and far less obvious. We start with a parameterization 
of all unitary 2 x 2-matrices. It is easily seen that for any such matrix A there exists 
a point (oo, Oi, ^i) on the three dimensional unit sphere S^, and an angle f mod tt 
such that A equals 




where a = oq -F iai and b = bo + ibi, and T is the complex conjugate of 2:. Let us 
concentrate first on the case/) = 0,i.e.,H G SU(2)' The first application of such matrices 
to multiple antenna code design was given by Alamouti [1] for the known channel 
modulation and by Tarokh and Jafarkhani [11] for the unknown channel modulation. 
The following lemma is from [16]. 

Lemma 1. The diversity distance on SU(2) is a metric and SU(2) together with this 
metric is isomorphic to with half the standard Euclidean metric. As a result, any 
packing ofE>^ with L points and minimum distance d results in a signal constellation V 
in SU (2) with diversity distance d/2. 

Proof First, given the parameterization above, the matrices in SU(2) correspond in a 
one-to-one manner to the elements of S^. Let A and B be matrices in SU(2), and let 
P, Q be points on corresponding to A and B, respectively. Then one easily verifies 
that I det( A — H) | is the square of the Euclidean distance between P and Q. Hence, the 
first assertion of the lemma follows. The second assertion follows from the first. 

' U(M) and SU(M) denote the group of unitary M x M-matrices and the groups of unitary 
M X M-matrices of determinant one, respectively. 
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The lemma shows that A{2,L) > B{2,L) where B{2,L) is half the minimum 
distance of the best spherical code with L points on This number has been studied 
quite extensively, and very good upper and lower bounds are known for it [6], 

It is not clear whether the best diversity distance for SU(2) is strictly smaller than 
the best diversity distance for U(2). In other words, it is not clear whether the additional 
parameter <j) for matrices in U(2) leads to sets with strictly better diversity distance. 

Open Problem 2 Is A(2, L) = B(2, L)? In other words, is the best diversity distance 
for constellations in SU(2) the same as the best diversity distance for constellations in 
V{2)? 

Except the method used in the proof of Proposition 2(2), there is not a whole lot 
known about upper bounds for the function A{M, L) for M > 3. Therefore, we will 
concentrate on lower bounds, i.e., construction of space-time codes V with large min- 
imum diversity distance. We will accomplish this by using space-time codes that form 
a group under matrix multiplication. The proper setting to discuss such groups is that 
of the representation theory of finite groups, which we shall briefly outline in the next 
section. 



4 Fixed-Point-Free Groups 

Suppose that the constellation S of unitary M x M-matrices forms a group under matrix 
multiplication. Then the diversity distance of S can be described more easily as 

where I is the M x M-identity matrix. Indeed, | det(S' — S")l = I det(S')|| det(I — 
= |det(/ — S~^S'), and since S~^S' belongs to the group, the assertion 

follows. 

The question which finite groups of unitary matrices have a large diversity distance 
should be preceded by which of these groups have nonzero diversity distance. The latter 
question is answered using tools from group theory and from the representation theory 
of finite groups. 

A representation of degree M of a finite group G is a homomorphism of G into 
the group U(M) of unitary M x M-matrices. Two representations A and A' are called 
equivalent if there is a unitary matrix T such that A{g) = T A' {g)T* for all elements 
g of G. The direct sum of two representations A and A' is the representation A® A' 
whose value at a group element g is the block diagonal matrix having the block diagonal 
entries A{g) and A'{g). A representation is called irreducible if it is not equivalent to a 
direct sum of two representations. 

Given (5), a finite group S of unitary MxM -matrices has nonzero diversity distance 
if and only if no non-identity element of S has an eigenvalue 1. Inspired by this, we call 
a representation Z\ of a finite group G fixed-point-free (fpf) if the group A{G) has full 
diversity. A group G is called fpf if it has an irreducible fpf representation. 
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5 Abelian Groups 



Use of space-time codes that form an abelian group was first suggested by Hochwald 
and Sweldens [ 8 ]. It is easy to see that cyclic groups are fpf: any primitive character 
of the group provides a fpf representation. Moreover, any abelian group that is fpf is 
necessarily cyclic: if an abelian group is not cyclic, then any character of that group has 
a nontrivial kernel, hence cannot be fpf. 

Suppose we want to construct an fpf-cyclic group whose elements are M x M- 
matrices. The most general form of such a group is given by 



S{U2, . . -,Um) 



f 


( v'" 


0 • 








0 


77 “^ • 


• 0 


:0 < k < L 


1 


u 


0 • 







where the Ui are pairwise different and co-prime to L, and 77 = The obvious 

question that arises is that of choosing the Ui in such a way that ({S{u 2 , ■ ■ ■ , um)) is 
maximized. This is a very difficult question. The case M = 2 was investigated in [15], 
where it was conjectured that if L is the nth Fibonacci number, then it is best to choose 
u to be the (n — l)st Fibonacci number. 



6 Fpfp-Groups 

If a group is fpf, then so are all its subgroups. In particular, the p-Sylow subgroups of 
such a group are fpf as well. However, these can only be of very restricted types, as the 
following theorem of Burnside [3] shows. 

Theorem 1. Let G be afpfp-group. Ifp is odd, then G is a cyclic group. Ifp is even, then 
G is either a cyclic group, or a generalized Quaternion group given as (a, t | cr^ = 
1, , cr'^ = cr“^), where a'^ = rcrr”^. Conversely, all these groups are fpf. 

We remark that the classification of fpf 2-groups was independently rediscovered by 
Hughes [10] in the context of multiple antenna communication. 

The proof of this theorem requires some simple facts from representation theory 
which we did not elaborate on in Section 4. Readers not familiar with representation 
theory can skip the proof 

Proof We only prove the assertion for the case of odd p; the case of even p can be 
handled similarly. Let |G| = p”. We use induction on n. The case n = 1 is obvious, 
since here G can only be cyclic. Assume now that we have proved the assertion for all 
groups of size Let G be a fpf group of size p”. By Sylow’s theorem, G has a 
normal subgroup N of size p"“^ which is cyclic by the induction hypothesis. Denote 
by (T a generator of this group, and suppose that tN generates G/N. Then € (cr), 
say = cr^, and for some I since N is normal. 

Suppose that Z\ is a fpf representation of G. Then A f N, the restriction of A to 
N is also fpf But Z\ ], A is equivalent to the direct sum of characters of N which 
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necessarily have to be primitive. All irreducible representations of G are obtained as 
inductions/extensions of representations (i.e., characters) of N, and their degree is either 
1 (in case of an extension) and p (in case of an induction). This is because the degrees 
of irreducible representations of G are powers of p and N is cyclic. Suppose G had an 
irreducible fpf representation A of degree p. A would be the induction of a primitive 
character x of N: A = x t G. The value x{<^) would then be a primitive p”“^st root 
of unity, which we denote by 77. This shows that A is equivalent to the representation R 
given by 





/p 0 • 
0 p^ • 


0 0 




/ 0 1 0 
0 0 1 


0 0 


R{a) = 


^0 0 • 


£P-i 

• V / 


, R{t) = 


0 00 
\p'^ 0 0 


• • 1 
••0/ 



All elements of G are of the form (j®r‘ where 0 < s < p" ^ and 0 < t < p. For 
t ^ 0 mod p the representation R evaluated at such an element is 

/ 0 0 



i?(aV‘) = 



0 



V 



stP-^+k Q 



V 0 



n 



0 

0 



? 7 ® 0 

0 



0 0 



0 0 
0 0 

0 0 



0 

0 



\ 



0 ) 



It is not hard to see that det(/— i?((j^T‘)) = \ — f +**. Ifwe can find an integer 

t ^ 0 mod p and another integer s such that the exponent of p is congruent to 0 modulo 
then this proves that det(/ — R{a^r^)) = 0, and shows that G is not fpf We will 
show that such a t exists for odd p. To this end, it suffices to prove that if p’’ divides 
X^r=o thenp’’ also divides k. 

First note that £ ^ 1 mod p”“^ since we have assumed that G has an irreducible 
representation of degree p, and hence G is not abelian. Since tP = a^, we have cr’’ = cr. 
But = cr^’’, so = 1 modp”“^. Since p is odd, the multiplicative group of 
Z/(p"“^Z) is cyclic and generated by an element, say w. This shows that £ is in the 
subgroup generated by ujp" which shows that £= I mod p"“^. As a result, p 

divides, and p^ does not divide {£p — 1) /{£ — 1). 

To finish the proof, it suffices to show that p divides k. Consider R{tP). This is a 
diagonal matrix with all diagonal entries equal to p* . On the other hand, R{tP) = R{a^). 
The latter is a diagonal matrix with diagonal entries . . . , p*^” . So, p^* = p^, 

which implies k{£ — 1) = 0 mod p”“^. Since £ = 1 mod p"“^, but f ^ 1 mod p”“^, 
this implies that p divides k and finishes the proof □ 



For the rest of this section, let us prove that the generalized Quaternion groups are indeed 
fpf Let G := (cr, t | cr^" = 1, = cr^" , cr"^ = be such a group. G has a normal 
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subgroup H = (cr) of index 2. We induce an fpf representation of H, i.e, a primitive 
character of H to G. Call the corresponding representation A. Then we have (up to 
equivalence) 




where r; is a primitive 2"“^st root of unity. It is easy to see that this representation is 
indeed fpf Consider Z\((t^t‘) . If f = 0 mod 2, there is nothing to prove, so let us assume 
w.l.o.g. that t = 1. We have 



I — Z\(ct®t) 




We note in passing that this is (up to scaling) an example of an orthogonal design [1,11], 
or, (again up to scaling) an element of SU(2) (see Section 3). The determinant of this 
matrix is 1 + 1 = 2. This shows that G is fpf 



7 Classification of fpf Groups 

The classification of all fpf groups was carried out in large parts by Zassenhaus [20] 
in the context of classification of finite near-fields. The results were partly rediscovered 
and partly completed in the context of communication in [ 1 6] 

One key to the classification of fpf group is the trivial observation that subgroups 
of fpf groups are themselves fpf Hence, all p-Sylow subgroups of fpf-groups must be 
of the forms given in Theorem 1 . In particular if G is an fpf-group of odd order, then 
all p-Sylow subgroups for odd p must be cyclic. It turns out that all such groups have a 
simple shape. Given a pair of integers (m, r) with r co-prime to m, we implicitly define 
n to be the order of r modulo m, ro = gcd(r — 1, m), and t = mjrQ. We call the pair 
(to, r) admissible, if gcd(n, t) = 1, and all prime divisors of n divide tq. Then we have 
the following theorem [20,16]. 

Theorem 2. Suppose that G is a fpf group of odd order. Then there exists an admissible 
pair (to, r) such that 

G ~ Gjn,r ■= {cr,T I CT™ = 1,t” = Cr*,(7^ = ct’'), 

where t = mIrQ, tq = gcd(r — 1, to), and n is the order ofr modulo m. Conversely, 
all groups Gra,r with admissible (to, r) are fpf 

The reader may want to look at [ 1 6] for the full-diversity constellations derived from this 
theorem. The smallest non-cyclic fpf group of odd order is G 2 i ,4 which has 63 elements. 
Its corresponding constellation is given by the elements 0 < s < 21, 0 < f < 3, 

where 

/p 0 0 \ / ^ 

H= 0p‘‘0 , 5= 001, 

\0 0 \p^ 0 0/ 

where p = diversity distance of this constellation is roughly 0.3851. 
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The classification of fpf groups of even order is a lot more elaborate [20,16] and will 
not be discussed here for lack of space. It is divided into the simpler part of solvable fpf 
groups and the more difficult part of non-solvable fpf groups. One of the most interesting 
groups belonging to the second category is SL(2, F5), the group of 2 x 2-matrices over 
F5 with determinant 1. Both irreducible 2-dimensional representations of this group are 
fpf and give rise to the constellation generated by the two matrices 



1 f — rf Tj — rj'^ \ 

~ rf -rf ) ' 



Q 



1 f rj — jf if — l\ 

7! Vl-^3 ' 



where 77 = The diversity distance of this constellation is 5 y (3 — -\/5)/2 ~ 

0.3090. This is in fact a constellation in SU(2), and hence can be identified with a set of 
points on S^. The corresponding polyhedron is a regular polyhedron with 120 vertices. 
In dimension 4 there are only two such polyhedra. The other one is the dual of the 
one described here. For more information and historical remarks on this “120-cell,” the 
reader is referred to [17]. Note that if A{2, L) = B{2, L) (see Open Problem 2), then 

A(2,120) = i^(3-75)/2. 

The results of simulations of SL(2, F5) as a space-time code can be found in Figure 1 . 




SNR(dB) SNR(dS) 



Fig. 1. Comparison of SL(2,Fs) with orthogonal designs, diagonal codes, and the Quaternion 
group. The left picture is for one receiver antenna, while the second is for two receiver antennas. 
The code is designed for M = 2 transmit antennas, and has L — 120 elements (R « 3.45). 



Even though we now know all fpf finite groups, it may still be that there are full- 
diversity space-time codes that are not groups themselves, but generate a finite group. 
This question is open and an answer to that would be very interesting. Here we are not 
looking for a full classification, as this seems rather difficult. 

Open Problem 3 Find finite sets of unitary matrices with large diversity distance that 
generate a finite group. 

For some attempts in the direction of answering this question, see [16]. 
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8 Codes from Representations of Compact Lie Groups 

Since the classification of fpf finite groups is complete, the next question to ask is that 
of classification of infinite fpf groups. Here, we require that the group has an irreducible 
unitary finite-dimensional representation that is fpf. In this direction, Hassibi and Khor- 
rami showed that the only fpf Lie groups are U(l) and SU(2) [7]. But what about other 
types of groups groups? One such type of groups is given by the group of nonzero ele- 
ments of a division algebra. In fact, if we can embed a division algebra over Q, say, into 
i^MxM ]\/[ gygjj infinite subgroup H of the unit group is embedded into 

U{M), then the image of H will be fpf. 

Open Problem 4 Is it possible to embed a division algebra over Q into ^ ^ for some 

M such that an infinite subgroup of the multiplicative group is embedded in U (M) ? 

An example of such a situation (when Q is replaced by M) is given by the Hamiltonian 
Quaternions. Here the elements of norm 1 are mapped into SU(2), and this another 
reason why SU(2) is fpf. 

Even though the theorem of Hassibi and Khorrami rules out the existence of fpf Lie 
groups other than the obvious ones, the question is open whether there are subsets of Lie 
groups with high diversity. Compact Lie groups seem to be ideal candidates for such an 
investigation as all their irreducible representations are unitary and finite dimensional [2] . 
In [14] we proved that the unique 4-dimensional representation of SU(2) gives rise to 
very good space-time codes if evaluated at a good spherical code on in which the 
angle of any two points is separated by 120 degrees. The representation is given by 

^ of \/iafb b^ \ 

—s/iafb a(|ap — 2|6p) 6(2|ap — |6p) y/Sab"^ 

VSab^ ~ 2|ap) d(2\b\'^ — |ap) \/ibd? 

—b^ s/3 b^ a —s/3 bc/^ a/ j 

Good space-time codes in 4 dimensions can be constructed if we take a good spherical 
code on and restrict it to a subset of the sphere on which the angle between any two 
points is bounded away from 120 degrees. In particular, [14] proves that 

.4(4, L) > yfe(94-124^ + 4s3) 

where e = 2A(2, L/0.135). The right hand side of the above inequality is, for large L, 
smaller than A(2,L), which shows that the construction above is worse than the trivial 
bound. However, this is due to the construction of the spherical code given in [ 1 4] . Better 
constructions will lead to better results. 

Open Problem 5 Are there other ways to use representations of compact Lie groups to 
derive good space-time codes in other dimensions? 

We will discuss in the next section finite space-time group codes that are not fully diverse. 
The above construction is an example of an infinite group that is not fully diverse, and 
in which any non-identity matrix has rank at least 2. 
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It is relatively easy to compute the eigenvalues of irreducible representations of the 
groups SU(M), though, for larger M, it is not completely clear how to sample from the 
corresponding manifold to obtain good space-time codes. As an example, we mention 
the case of 6 -dimensional representation of SU(3). This is obtained by considering 
the vector space of homogeneous polynomials in three variables of degree 2 as an 
SU(3)-module. A matrix with eigenvalues is mapped to a matrix with 

eigenvalues 77 ^, ry/i, 77 “^. (This is obtained by considering the action 

on the maximal torus of SU(3).) As a result, any good space-time code in SU(3) none 
of whose matrices has eigenvalue ±1 gives rise to a full-diversity space-time code in 
SU( 6 ). 



9 Finite Groups That Are Not Fully Diverse 



A look at the upper bounds on the pairwise probability of error reveals that space-time 
codes that are not fully diverse could also be used for multiple antenna transmission, as 
is seen from (4). It is easy to see that for two M x M-matrices A and B the probability 
of mistaking A for B is given by [13] 



P{A,B)<-{- 



Ndeg{T{x)} 



ini)i 



-2N 



( 6 ) 



where N is the number of receiving antennas and T{x) is the largest factor of the 
characteristic polynomial of AB* which is not divisible by x — 1. A space-time group 
code S contains AB* for any A,BgS. Further, the characteristic polynomial AB* 
is invariant under conjugation in the group. Hence, the different values of the pairwise 




U, unknown channel 



'1, known channel 



'2, unknown channel 



•■2, known channel 



I, unknown channel 



I, known channel 



Fig. 2. Block-error rate performance of the group SL(2, F17) versus a good diagonal constellation 
for M = 8 transmitter antermas and N = 1 receiver antenna. Both constellations have L — 4896 
unitary matrices (R ~ 1.53). 
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probability of error can be computed once the characteristic polynomials of the conjugacy 
classes of S are found. These can be computed from the character table of S, as is shown 
in [13], 

The formula (6) reveals that a non fpf group S performs better if for the rank of / — ^ 
is larger for all nontrivial elements of S. An example is given by the group SL(2, Fiy) of 
size 4896. Any irreducible 8-dimensional representation of this group has the property 
that all elements other than those in one conjugacy class have full rank; elements in the 
distinguished conjugacy class has rank 6. This representation was constructed in [13]. 
A simulation of this space-time code and a comparison to a diagonal code of the same 
rate is given in Figure 2. 
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Abstract. Over the past five years a number of algorithms decoding 
some well-studied error-correcting codes far beyond their “error-correct- 
ing radii” have been developed. These algorithms, usually termed as list- 
decoding algorithms, originated with a list-decoder for Reed-Solomon 
codes [36,17], and were soon extended to decoders for Algebraic Geom- 
etry codes [33,17] and also to some number-theoretic codes [12,6,16]. In 
addition to their enhanced decoding capability, these algorithms enjoy 
the benefit of being conceptually simple, fairly general [16] , and are capa- 
ble of exploiting soft-decision information in algebraic decoding [24] . This 
article surveys these algorithms and highlights some of these features. 



1 Introduction 

List-decoding was introduced in the late fifties by Elias [7] and Wozencraft [38]. 
Under this model, a decoder is allowed to output a list of possible codewords that 
a corrupted received word may correspond to. Decoding is considered successful 
if the transmitted word is included in this list of received words. 

While the initial model was introduced to refine the study of probabilistic 
channels, it has slowly developed into a tool for improving our understanding of 
error-correction even in adversarial models of error. Strong combinatorial results 
are known that bound the “list-decoding radius” of an error-correcting code as 
a function of its rate and its distance (See [5,8,40] for some of the earlier results, 
and [13,15,21] for some recent progress.) However till the late 90’s no non-trivial 
algorithms were developed to perform efficient list-decoding. In [36], the author 
gave an algorithm to list-decode Reed-Solomon codes. This was shortly followed 
up by an algorithm by Shokrollahi and Wasserman [33] to decode algebraic- 
geometry codes. Subsequently the algorithms have been extended to decode 
many families of codes. Furthermore the efficiency of the original algorithms has 
been vastly improved and many applications have been found for this concept. 
In this paper we describe the basic ideas behind the decoding algorithms. Our 

* Parts of this work were supported by NSF Grant CCR 9875511, NSF Grant GGR 
9912342, and an Alfred P. Sloan Foundation Fellowship. 
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focus is mostly on the simplicity of these algorithms and not so much on their 
performance or uses. 



2 Reed-Solomon Decoding 

Let Fq denote a field of size q and let [x] denote the vector space of polynomial 
of degree at most k over F^. Recall that the Generalized Reed Solomon code of 
dimension k, is specified by distinct x\,...,Xn G F, and consists of the evalu- 
ations of all polynomials p of degree at most k at the points Xi, . . . ,x„. More 
formally, letting x = {x\, . . . , Xn) and letting p{x) denote (p(xi), . . . ,p{xn)), we 
get that the associated code RS^^fc.a; is given by 

= {p{x)\p G Fg[x]}. 

Viewed from this perspective (as opposed to the dual perspective, where 
the codewords of the Reed Solomon codes are coefficients of polynomials), the 
Reed Solomon decoding problem is really a ’’curve-fitting” problem: Given n- 
dimensional vectors x and y, find all polynomial p G F^ [x] such that A{p{x) , y) < 
e. for some error parameter e. (Here and later Z\(-, •) denotes the Hamming dis- 
tance.) 

Traditional algorithms, starting with those of Peterson [30] attempt to “ex- 
plain” y as a function of x. This part becomes explicit in the work of Welch & 
Berlekamp [37,3] (see, in particular, the exposition in [35, Appendix A]) where 
y is interpolated as a rational function of x, and this leads to the efficient de- 
coding. (Specifically a rational function a{x)/b{x) can be computed such that 
for alH G {1, . . . , n},. a{xi) = pi * b{xi).) 

Rational functions, however, are limited in their ability to explain data with 
large amounts of error. To motivate this point, let us consider the following 
simple (and contrived) channel: The input and output alphabet of the channel 
are F,. The channel behavior is as follows: On input a symbol a G F^, the 
channel outputs a with probability \ and wa with probability for some fixed 
w G Fq. Now this is a channel that makes an error with probability but 
still the information it outputs is very closely correlated with the input (and its 
capacity, in the sense of Shannon, is very close to 1). However if we transmit 
a Reed Solomon codeword on this channel, the typical output vector y does 
not admit a simple description as a rational function of x, and thus traditional 
decoding algorithms fail. 

However it is clear that the output of the channel is explain by some nice 
algebraic relations: Specifically, there exists a polynomial p (of degree at most 
fc) such that for every t, pi = p{xi) or pi = to ■ p(xi). The “Or” of two Boolean 
conditions also has a simple algebraic representation: we simply have that the 
polynomial Q(x,p) = (p — p(x)) ■ {p — u> ■ p{x)) is zero on every given (xi,pi). 
Furthermore such a polynomial Q(x,p) can be found by simple interpolation 
(which amounts to solving a linear system), and the candidate polynomial p(x) 
can be determined as a root of the polynomial Q{x, p). (Notice that the factoring 
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will find two polynomials pi and p 2 and, if yf 1, the true candidate is pi iff it 
satisfies p 2 = topi.) 

The above example illustrates the power of using algebraic curves (over ratio- 
nal functions) in decoding Reed-Solomon codes. The idea of using such functions 
was proposed by Ar et al. [1] who showed that if, by some fortunate occurrence, 
the vectors x and y could be explained by some nice algebraic relation, then 
decomposing the algebraic curve (i.e., factoring) could tell if there exist large 
subsets of the data that satisfy non-trivial algebraic correlation. However they 
could not show general conditions under which the vectors x and y could be 
explained by a nice algebraic curve, and this prevented them from obtaining a 
general decoding algorithm for Reed Solomon codes. 

The complementing result took a few years to emerge, and did so finally in 
[36], where a simple counting argument is used to show that any pair of vectors 
X and y has a “nice” algebraic curve explaining it. The x- and y-degree of the 
curve can be chosen as desired, subject to the condition that the support has at 
least n -I- 1 coefficients. Putting these two pieces together, and choosing x- and 
y- degrees appropriately, one obtains the following algorithm and result: 

Definition 1. Let {wx,Wy) -weighted degree of a monomial x'^y^ be i-Wx~\- j -Wy. 
The (wx,Wy) -weighted degree of a polynomial Q{x,y) is the maximum, over all 
monomials with non-zero coefficient in Q, of their {wx,Wy) -weighted degree. 

Given y G and k. 

1. Compute Q yf 0 with (1, /c)-weighted degree at most [a/2(/c — l)nj satisfying 
Q{xi, Pi) = 0 for alH G {1, . . . , n} (this is simple interpolation). 

2. Factor Q and report all polynomials p G F^[x] such that y — p{x) is a factor 
of Q and p{xi) = pi for \ \/2kn\ -\- 1 values of t G {!,..., n}. 



Theorem 1 ([36]). Given vectors x,y G F”, a list of all polynomials p G F^[a;] 
satisfying p{xi) = pi for more than ^/2nk values of i G {1, . . . , n} can be found 
in time polynomial in n, provided all pairs (xi,yi) are distinct. 

The interesting aspect of the above algorithm is that it takes some very el- 
ementary algebraic concepts, such as unique factorization, Bezout’s theorem, 
and interpolation, and makes algorithmic use of these concepts in developing 
a decoding algorithm for an algebraic code. This may also be a good point to 
mention some of the significant advances made in the complexity of factoring 
multivariate polynomials that were made in the 1980’s. These algorithms, discov- 
ered independently by Grigoriev [14], Kaltofen [22], and Lenstra [25], form the 
technical foundations of the decoding algorithm above. Modulo these algorithms, 
the decoding algorithm and its proof rely only on elementary algebraic concepts. 
Exploiting slightly more sophisticated concepts from commutative algebra, leads 
to even stronger decoding results that we describe next. 

The algorithm of Guruswami and Sudan [17] is best motivated by the follow- 
ing weighted curve fitting question: Suppose in addition to vectors x and y, one 
is also given a vector of positive integers w where Wi determines the “weight” 
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or confidence associated with a given point (xi,yi). Specifically we would like 
to find all polynomials p such that Wi > W (for as small a W as 

possible). 

The only prior algorithm (known to this author) that could take such “re- 
liability” consideration into account was the Generalized Minimum Distance 
(GMD) decoding algorithm of Forney [10]. This algorithm, in combination with 

Theorem 1, can find such a vector provided IT = . How- 

ever, the GMD algorithm is combinatorial, and we would like to look for a more 
algebraic solution. 

How can one interpret the weights in the algebraic setting? A natural way at 
this stage is to find a “fit” for all the data points that corresponds to the weights: 
Specifically, find a polynomial Q{x, y) that “passes” through the point {xi, yt) at 
least Wi times. The notion of a curve passing through a point multiple times is a 
well-studied one. Such points are called singularities. Over fields of characteristic 
zero, these are algebraically characterized by the fact that the partial derivatives 
of the curve (all such, upto the (r — l)th derivatives, if the point must be visited 
by the curve r times), vanish at the point. The relevant component of this 
observation is that insisting that a curve pass through a point r times is placing 
(”) linear constraints on the coefficients. This fact remains true over finite fields, 
though the partial derivatives don’t yield these linear constraints any more. 
Using this notion to find curves that fit the points according to the weights, and 
then factoring the curves, leads to the following algorithm and result. 

Given £c, y € F^, w G Z”q, and k. 

1. Gompute <5 yf 0 with (1, fc)-weighted degree at most L\/^ + 1) J 

satisfying Q{xi, yi) is a zero of multiplicity Wi, for alH G {1, . . . , n}. 

2. Factor Q and report all polynomials p G F^[a;] such that y — p{x) is a factor 

of Q and Y.i\p(xi)=vi is at least + 1)J + 1- 



Lemma 1 ([17]). Given vectors x,y £ F”, a list of all polynomials p G F^[a;] 
satisfying 'Yh\\p(xi)=yi ^ Wi{wi + 1)J can he found in time polyno- 
mial in provided all pairs (xi,yi) are distinct. 

At first glance it is not clear if this is better than the GMD bound. The GMD 
bound is invariant with respect to scaling of the WiS while the above is not! In 
fact, it is this aspect that makes the algorithm above intriguing. Fix vectors 
X and y, and consider two possible weight assignments: in the first all weights 
are 1, and in the second all weights are 2. On the one hand, the weight vectors 
place the same relative weights on all points, so a “good” solution to the first 
instance is also a “good” solution to the second instance. On the other hand, 
a close examination of the bound in Lemma 1 reveals that in the latter case it 
can find some polynomials that the former can not. The first instance finds all 
polynomials that agree with the data in '/2kn points, while the second finds all 

polynomials that agree with the data in ^ ^kn points. Scaling the weights to 
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larger and larger values, in the limit we find all polynomials that fit the data 
over more than \/kn points. The price we pay is that the running time of the 
algorithm grows with the scaling factor. However it is easy to see that a finite 
(polynomial in n) weight suffices to decode up to this bound and this leads to 
the following theorem: 

Theorem 2 ([17]). Given vectors x,y G F^, a list of all polynomials p G F^[a;] 
satisfying p{xi) = pi for more than y/nk values of i G {1, . . . ,n} can be found in 
time polynomial in n, provided all pairs (xi,yi) are distinct. 

Note that while the original motivation was to find a better algorithm for 
the “weighted” decoding problem, the result is a better unweighted decoding 
algorithm, that uses the weighted version as an intermediate step. Of course, it 
is also possible to state what the algorithm achieves for a general set of weights. 
For this part, we will just assume that the weight vector is an artbitrary vector 
of non-negative reals, and get the following: 

Theorem 3 ([17,18]). Given vectors x,y G F”, a weight vector w G R>q’ 
a real number e > 0, a list of all polynomials p G F^ [a;] satisfying > 

y/k{e + wf) can be found in time polynomial in n and provided the pairs 
(xi,yi) are all distinct. 

This result summarizes the state of knowledge for list-decoding for Reed 
Solomon codes, subject to the restriction that the decoding algorithm runs in 
polynomial time. However this criterion, that the decoding algorithm runs in 
polynomial time, is a very loose one. The practical nature of the problem de- 
serves a closer look at the components involved and efficient strategies to im- 
plement these components. This problem has been considered in the literature, 
with significant success. In particular, it is now known how to implement the 
interpolation step in O(n^) time, when the output list size is a constant [29,31]. 
Similar running times are also known for the root finding problem (which suffices 
for the second step in the algorithms above) [2,11,28,29,31,39]. Together these 
algorithms lead to the possibility that a good implementation of list-decoding 
may actually even be able to compete with the classical Berkelkamp-Massey de- 
coding algorithm in terms of efficiency. A practical implementation of such an 
algorithm in C-|— k, due to Rasmus Refslund Nielsen, is available from from his 
homepage (http : / / www . student . dtu . dk/~p938546/ index . html) . 



3 Ideal Error-Correcting Codes and Decoding 

We now move on to other list-decoding algorithms for other algebraic codes. The 
potential for generalizing the decoding algorithms above to codes other than just 
the Reed Solomon code, was first shown by Shokrollahi and Wasserman [33]. In 
their work, they show how to generalize the algorithm above to decode the more 
general family of algebraic-geometry codes. A full description of this family of 
codes is out of scope for this article — the reader is encouraged to read the text 
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of Stichtenoth [34] or the article by H0holdt, van Lint, and Pellikaan [20] for 
a description. However we will attempt to describe the flavor of the results by 
defining a broad class of codes, that we call “Ideal error-correcting codes” . 

One way of viewing Reed Solomon codes, is that they are built over a (nice) 
integral domain i? = Fq[a;], ^ The message space A4 = F*[x] is chosen to be a 
subset of the ring R. Additionally the code is specified by a collection of ideals 
/i, of i?. In the case of Reed Solomon codes, these are the ideals generated 

by the linear polynomials x — xi, . . . ,x — Xn- The encoding of a message element 
p G R is simply its residue modulo n ideals. Thus, in Reed Solomon encoding, 
p i-G {p mod (x — xi), ■ ■ ■ ,p mod (x — x„)) = p(x) as expected. The following 
definition summarizes the family of codes obtained this way. 

Definition 2 (Ideal error-correcting codes [16]). An ideal error- correcting 
code is specified by a triple (R,A4, (/i, . . . , In}), where R is an integral domain, 
M C R, and /i, . . . , /„ are ideals of R. The code is a subset of [R/Ii) x • • • x 
[R/In), given by the set {(pmod (/i), . . . ,pmod (/„))|p G A4}. 

To quantify the distance properties of such a code, it is useful to impose a 
notion of size on elements of the ring R. In the case of Reed Solomon codes 
the size of an element is essentially its degree (though for technical reasons, 
it is convenient to use gg ^ measure of size). The message space usually 

consists of all elements of small size. To make this space large one needs to know 
that the ring has sufficiently many small elements. Further the size function is 
assumed to satisfy some axioms such as size(a-|-6) < size(a) -|-size(6), size(a6) < 
size(a) • size(6) and so on. Further, if the size of an ideal is defined to be the 
size of the smallest non-zero element in it, then size( Ji x J 2 ) should be at least 
size( Ji)-size( J 2 ). Assuming such, relatively simple axioms it is possible to analyze 
the minimum distance of an ideal error-correcting code, once the sizes of the 
ideals Ii to /„ are known. (We will not cover these definitions formally here 
- we refer the reader to [16] for a full discussion.) The same axioms guarantee 
efficient (list-)decoding as well. In fact, the following simple generalization of the 
algorithm from the previous section gives the algorithm for decoding any ideal 
error-correcting code. We describe the algorithm informally. Formal specification 
will involve a careful setting to various parameters. 

Given I y G R", w G Z”q. 

1. Let Ji = R-G {y - yi). 

2. Compute Q G R[y\ — {0} of small degree in y, with small coefficients, satis- 
fying Q € 0”=! 

3. Factor Q and report all elements p G M such that y — pis& factor of Q and 
j/i G p-\- {Ii) for sufficiently many i. 

^ For the reader that is rusty with the elements of commutative algebra, let us recall 
that an integral domain is a commutative ring R that has no zero divisors (i.e., 
pq — 0 implies p = 0 or g = 0). An ideal / in R is a subset that is closed under 
addition, and a G 1 implies ab G I, for all b G R. The quotient of R over I, denoted 
R/I forms an integral domain and this quotient ring is crucial to many definitions 
here. 
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In this setting, the algorithm above may even appear more natural. Note 
that the ideals Ji above have the following meaning: y — p belongs to the ideal 
Ji if and only if G p + li. Thus we want all elements p such that y — p lies in 
many of the ideals Ji. To find such an element, we find an element that Q that 
lies in all of them, and factor it to find any element that lies in many of them. 

Why consider this more complicated scheme? Ideal error-correcting codes not 
only include the class of Reed Solomon codes (as already pointed out), but also 
all algebraic-geometry codes, and an interesting family of number-theoretic codes 
termed Redundant Residue Number System (RRNS) codes. As a consequence of 
the generalization above, one gets a structure for decoding all the above family 
of codes. Note that we only get a structure, not the algorithm itself. In order to 
get actual decoding algorithms, one needs to find algorithms to “Compute Q” 
(the interpolation step) as well as to factor over R[y\. Both aspects present their 
own complexity, as we will illustrate for the RRNS codes. Furthermore, to get 
the best possible decoding algorithm, one needs to select the parameters, and in 
particular the weights carefully. We will discuss this more in the next section. 

Finally, we point out one important class of codes where the decoding algo- 
rithms don’t seem to apply. This is the class of Reed-Muller codes where the 
algorithm of Feng and Rao [9] (see, in particular, the desciption in [20]) decodes 
up to half the minimum distance. The best known list-decoding algorithm [32] 
does better than the above algorithm for some choice of parameters, but does not 
even match up to the above algorithm for other choices of parameters. Extend- 
ing the list-decoding algorithm given here to apply to the class of Reed-Muller 
codes seems to require a generalization beyond the class of ideal codes. 

4 Redundant Residue Number System Codes 

This is the family of ideal error-correcting codes given by i?= Z, At = {0, . . . , K— 
1} for some integer K, and /j = (pi) for a collection of pairwise prime integers 
Pi, . . . ,Pn- In other words a message is a non-negative integer less than K and 
its encoding are its residues modulo small integers pi,...,p„. If we permute 
the indices so that p\ < ■■■ < p„, and ii K < then this code has 

minimum distance at least n — k + 1, Thus it should be correctible to up to 
errors uniquely, and list-decodable to about n — \fnk errors. Turns out 
Mandelbaum [27] gave a unique decoding algorithm decoding to errors. 
The algorithm runs in polynomial time provided the highest and smallest moduli 
are relatively close in value. Goldreich et al. [12] gave an algorithm correcting 

approximately n — errors. Boneh [6] improved this to n — 

errors, and finally Guruswami et al. [16] improved this to correct n— a/ n{k + e) 
errors for arbitrarily small e. They also give a polynomial time unique decoding 
algorithm correcting up to errors. 

The algorithms of [12,6,16] illustrate some of technicalities that surface in 
specializing the algorithm of Section 3. For instance, consider the interpolation 
step: Even in the simple case when all the Wi’s are 1, the case considered in [12], 
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the algorithm for this part is not obvious. We wish to find a polynomial Q with 
small integer coefficients such that Q{yi) = 0 mod This is a task in 

Diophantine approximation and no longer a simple linear system. Fortunately, 
it turns out to be a relatively well-studied problem. The set of polynomials 
satisfying the condition Q{yi) = 0 mod (n”=iP*) form a lattice, and finding 
a polynomial with small coefficients is a “shortest vector problem” in integer 
lattices and one can use the groundbreaking algorithm of Lenstra, Lenstra, and 
Lovasz [26] (LLL) to solve this problem near-optimally. In the case of general 
weights [6,16], the problem remains a short vector problem in a lattice, however 
it is not simple to express a basis for this lattice explicitly. In the case of uniform, 
but not unit weights, [6] manages to come up with an explicit description based 
on some analogies with some problems in cryptography. For the fully general 
case, [16] do not describe an explicit basis. Instead they give an algorithm that 
computes this basis from the weights. Thus this step of the process can get 
quite complicated. in the case of numkber theoretic codes. (In contrast this step 
remains reasonably simple in the case of algebraic geometry codes.) 

Another aspect of the decoding algorithm highlighted by the number-theoretic 
setting is the choice of weights. Even in the simple case where all the input 
weights are unit, it is not clear that the best choice of weights is a uniform one. 
Indeed, the final choice used by [16] gives large weights to the small moduli and 
smaller weights to the larger modulii. In general, this issue — what is the best 
choice of weights to the algorithm, and how should they relate to the weights 
given as input — is far from clear. For example, a recent paper of Kotter and 
Vardy [24] suggests a completely surprising choice of weights in the case of alge- 
braic geometry codes. This leads to better bounds for decoding these codes that 
the one given in [17]. A more detailed examination of this question has been 
carried out by Kotter [23] . 

Finally, we move on to the second step of the decoding algorithm. In this case 
the algorithm that is required is an integer root-finding algorithm for integer 
polynomials. This is again a well-studied problem, with known polynomial time 
solutions. This step however can get significantly more complicated for other 
ideals. E.g., in the case of algebraic-geometry codes, the issue becomes that 
of how the codes are specified. For most well-known families of such codes, 
the standard specifications do lead to polynomial time solutions [11,28,29,39]. 
For arbitrary codes, however it is a priori unclear if a natural representation 
could lead to a polynomial time decoding algorithm. In fact in the absence 
of a complete characterization of all algebraic geometry codes, it is unclear as 
to what is a natural representation for all of them. [19] suggest a potential 
representation that is reasonably succinct (polynomial sized in the generator 
matrix), that allows this and other necessary tasks to be solved in polynomial 
time, by using the algorithms of [11] and [29]. 

Acknowledgments. Thanks to Venkatesan Guruswami for letting me describe 
many of our joint works here, to Tom Hpholdt for enlightening me on many of 
the developments (both old and new) in the coding theory community, and to 
Ralf Kotter for clarifying the subtleties in the choice of weights. 




44 



M. Sudan 



References 

1. Sigal Ar, Richard J. Lipton, Ronitt Rubinfeld, and Madhu Sudan. Reconstructing 
algebraic functions from erroneous data. SIAM Journal on Computing, ^(2): 487- 
510, April 1999. 

2. Daniel Augot and Lancelot Pecquet. A Hensel lifting to replace factorization in 
list decoding of algebraic-geometric and Reed-Solomon codes. IEEE Trans. Info. 
Theory, 46(6): 2605-2613, November 2000. 

3. Elwyn R. Berlekamp. Bounded distance 4-1 soft-decision Reed Solomon decoding. 
IEEE Transactions on Information Theory, 42(3):704-720, 1996. 

4. Richard E. Blahut. Theory and practice of error control codes. Addison- Wesley 
Pub. Co., 1983. 

5. V. M. Blinovskii. Bounds for codes in the case of list decoding of finite volume. 
Problemy Peradachi Informatsii, 22(l):ll-25, January-March 1986. 

6. Dan Boneh. Finding smooth integers in short intervals using CRT decoding. (To 
appear) Proeeedings of the Thirty-Second Annual ACM Symposium on Theory of 
Computing, Portland, Oregon, 21-23 May 2000. 

7. Peter Elias. List decoding for noisy channels. WESCON Convention Reeord, Part 
2, Institute of Radio Engineers (now IEEE), pages 94-104, 1957. 

8. Peter Elias. Error-correcting codes for list decoding. IEEE Transactions on Infor- 
mation Theory, 37(1):5-12, January 1991. 

9. G.-L. Feng and T. R. N. Rao. Decoding algebraic-geometric codes upto the de- 
signed minimum distance. IEEE Transactions on Information Theory, 39(l):37-45, 
January 1993. 

10. G. David Forney Jr.. Concatenated Codes. MIT Press, Cambridge, MA, 1966. 

11. S. Gao and M. A. Shokrollahi. Computing roots of polynomials over function fields 
of curves. Proeeedings of the Annapolis Conference on Number Theory, Coding 
Theory, and Cryptography, 1999. 

12. Oded Goldreich, Dana Ron, and Madhu Sudan. Ghinese remaindering with errors. 
IEEE Transactions on Information Theory. ^(4): 1330-1338, July 2000. 

13. Oded Goldreich, Ronitt Rubinfeld, and Madhu Sudan. Learning polynomials with 
queries: The highly noisy case. Proeeedings of the 36th Annual Symposium on 
Foundations of Computer Science, pages 294-303, Milwaukee, Wisconsin, 23-25 
October 1995. 

14. Dima Grigoriev. Factorization of polynomials over a finite field and the solution 
of systems of algebraic equations. Translated from Zapiski Nauehnykh Seminarov 
Lenningradskogo Otdeleniya Matematicheskogo Instituta im. V. A. Steklova AN 
SSSR, 137:20-79, 1984. 

15. Venkatesan Guruswami, Johan Hastad, Madhu Sudan, and David Zuckerman. 
Combinatorial bounds for list decoding. (To appear) Proceedings of the 38th An- 
nual Allerton Conference on Communieation, Control, and Computing, 2000. 

16. Venkatesan Guruswami, Amit Sahai, and Madhu Sudan. “Soft-decision” decoding 
of Chinese remainder codes. Proceedings of the 41st Annual Symposium on Foun- 
dations of Computer Science, pages 159-168, Redondo Beach, California, 12-14 
November, 2000. 

17. Venkatesan Guruswami and Madhu Sudan. Improved decoding of Reed-Solomon 
codes and algebraic-geometric codes. IEEE Transaetions on Information Theory, 
45(6): 1757-1767, September 1999. 

18. Venkatesan Guruswami and Madhu Sudan. List decoding algorithms for certain 
concatenated codes. Proceedings of the Thirty-Second Annual ACM Symposium 
on Theory of Computing, pages 181-190, Portland, Oregon, 21-23 May 2000. 




Ideal Error-Correcting Codes 



45 



19. Venkatesan Guruswami and Madhu Sudan, On representations of algebraic- 
geometric codes. IEEE Transactions on Information Theory (to appear). 

20. T. Hpholdt, J. H. van Lint, and R. Pellikaan. Algebraic geometry codes. In Hand- 
book of Coding Theory, V. Pless and C. Huffman (Eds.), Elsevier Sciences, 1998. 

21. J. Justesen and T. Hpholdt. Bounds on list decoding of MDS codes. Manuscript, 
1999. 

22. Erich Kaltofen. A polynomial-time reduction from bivariate to univariate integral 
polynomial factorization. Proceedings of the Fourteenth Annual ACM Symposium 
on Theory of Computing, pages 261-266, San Francisco, California, 5-7 May 1982. 

23. Ralf Kotter. Personal communication, March 2001. 

24. Ralf Kotter and Alexander Vardy. Algebraic soft-decision decoding of Reed- 
Solomon codes. (To appear) Proceedings of the 38th Annual Allerton Conference 
on Communication, Control, and Computing, 2000. 

25. Arjen K. Lenstra. Factoring multivariate polynomials over finite fields. Journal of 
Computer and System Sciences, 30(2):235-248, April 1985. 

26. A. K. Lenstra, H. W. Lenstra, and L. Lovasz. Factoring polynomials with rational 
coefficients. Mathematische Annalen, 261:515-534, 1982. 

27. D. M. Mandelbaum. On a class of arithmetic codes and a decoding algorithm. 
IEEE Transactions on Information Theory, 21:85-88, 1976. 

28. R. Matsumoto. On the second step in the Guruswami-Sudan list decoding algo- 
rithm for AG-codes. Technical Report of lEICE, pp. 65-70, 1999. 

29. R. Refslund Nielsen and Tom Hpholdt. Decoding Hermitian codes with Sudan’s 
algorithm. Proceedings of AAECC-13, LNCS 1719, Springer- Verlag, 1999, pp. 260- 
270. 

30. W. W. Peterson. Encoding and error-correction procedures for Bose-Chaudhuri 
codes. IRE Transactions on Information Theory, IT-60:459-470, 1960. 

31. Ron M. Roth and Gitit Ruckenstein. Efficient decoding of Reed-Solomon codes 
beyond half the minimum distance. IEEE Transactions on Information Theory, 
46(l):246-257, January 2000. 

32. Madhu Sudan, Luca Trevisan, and Salil Vadhan. Pseudorandom generation with- 
out the XOR lemma. Proceedings of the Thirty-First Annual ACM Symposium 
on Theory of Computing, pages 537-546, Atlanta, Georgia, 1-4 May 1999. 

33. M. Amin Shokrollahi and Hal Wasserman. List decoding of algebraic-geometric 
codes. IEEE Transactions on Information Theory, 45(2): 432-437, March 1999. 

34. Henning Stichtenoth. Algebraic Function Fields and Codes. Springer- Verlag, Berlin, 
1993. 

35. Madhu Sudan. Efficient Checking of Polynomials and Proofs and the Hardness of 
Approximations. AGM Distinguished Theses. Lecture Notes in Computer Science, 
no. 1001, Springer, 1996. 

36. Madhu Sudan. Decoding of Reed Solomon codes beyond the error-correction 
bound. Journal of Complexity, 13(1): 180-193, March 1997. 

37. Lloyd Welch and Elwyn R. Berlekamp. Error correction of algebraic block codes. 
US Patent Number 4,633,470, issued December 1986. 

38. J. M. Wozencraft. List decoding. Quarterly Progress Report. Research Laboratory 
of Electronics, MIT, Vol. 48, pp. 90-95, 1958. 

39. Xin-Wen Wu and Paul H. Siegel. Efficient list decoding of algebraic geometric 
codes beyond the error correction bound. Proc. of International Symposium on 
Information Theory, June 2000. 

40. V. V. Zyablov and M. S. Pinsker. List cascade decoding. Problemy Peredachi In- 
formatsii, 17(4):29-33, October-December 1981. 




Self-dual Codes 

Using Image Restoration Techniques 



A. Baliga^ and J. Chua^ 

^ Department of Mathematics, RMIT University, GPO Box 2476V, Melbourne, VIC 

3001, Australia. 
ashaSrmit . edu . au, 

^ School of Computer Science and Software Engineering, PC Box 26, Monash 
University, Victoria 3800, Australia. 

Joselito. chuaScsse . monash . edu . au. 



Abstract. From past literature it is evident that the search for self-dual 
codes has been hampered by the computational difficulty of generating 
the Hadamard matrices required. The use of the cocyclic construction of 
Hadamard matrices has permitted substantial cut-downs in the search 
time, but the search space still grows exponentially. Here we look at an 
adaptation of image-processing techniques for the restoration of damaged 
images for the purpose of sampling the search space systematically. The 
performance of this approach is evaluated for Hadamard matrices of small 
orders, where a full search is possible. 

The dihedral cocyclic Hadamard matrices obtained by this technique 
are used in the search for self-dual codes of length 40, 56 and 72. In 
addition to the extremal doubly-even [56,28,12] code, and two singly- 
even [56,28,10] codes, we found a large collection of codes with only one 
codeword of minimum length. 

1 Introduction 

In [3], the [I, A] construction was used to obtain doubly-even self-dual codes 
from Z 2 X Z( - cocyclic Hadamard matrices for t odd. This construction was 
extended and refined in [1,2] to include the cyclic, the dihedral and the dicyclic 
groups and the equivalence classes of the codes obtained from groups of order 
20 were catalogued. The internal structure of these Hadamard matrices permits 
substantial cut-downs in the search time for each code found. However the search 
space for cocyclic Hadamard matrices developed over L> 4 t grows exponentially 
with t. Image restoration techniques may provide the answer to this problem, 
sampling the search space systematically when a full search is computationally 
infeasible. The performance of this approach is evaluated for t = 5 and 7, where 
a full search was feasible. 

The Hadamard matrices thus found were used in the search for all L> 4 t- 
cocyclic self-dual codes of length 40, 56. In the case of self-dual codes of length 
72, this was the only technique used to generate the Hadamard matrices. We 
catalogue the self-dual codes found in the search, noting the occurrence of self- 
dual codes with one code word of minimum length. 
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In Section 2, we outline the structure of dihedral cocyclic Hadamard matrices, 
detailing the efficiency obtained. In Section 3, the idea of using the search space 
as an image is explored, and the use of image restoration techniques is discussed, 
along with a summarised algorithm. Section 4 gives the results we have found 
so far, including the self-dual codes found using the above techniques. 



2 T> 4 t - Cocyclic Hadamard Matrices 



In [7], Flannery details the condition for the existence of a Hadamard matrix 
cocyclic over D^f Denote by the dihedral group of order 4t, t > 1, given by 
the presentation 

< a,6|a^‘ = 6^ = {abf = 1 > 

Cocyclic Hadamard matrices developed over D 4 t can exist only in the cases 
{A, B, K) = (1, 1, 1), (1, -1, 1), (1, -1, -1), (-1, 1, 1) for t odd. Here A and B are 
the inflation variables and K is the transgression variable. We only consider the 
case (H, B, K) = (1, -1,-1) in this paper since computational results in [7] and 
[1] suggest that this case contains a large density of cocyclic Hadamard matrices. 
This case also gives rise to a central extension of Z 2 by called a “group of 
type Q” [8]. The techniques presented in this paper can be adapted easily for 
other cases of {A, B, K). 

A group developed matrix over the group for the case (A,B,K) = 
(1, —1, —1) has block form 



H = 



f M N \ 
\ND -MD ) 



( 1 ) 



where M and N are 2t x 2t matrices, each of which is the entry wise product of 
a back circulant and back negacyclic matrix. 

D is the matrix obtained by negating every non-initial row of a back circulant 
2t X 2t matrix with first row 

1 0 0 ••• 0 

Following Proposition 6.5 (ii) in [7], we know that H is a cocyclic Hadamard 
matrix if and only if 

+ N‘^ = 4tl2t ( 2 ) 

Denote the first rows of M and by m, and n, respectively. Since the 
matrices M and N are determined by their first row entries, then m and n can 
be used to determine whether the corresponding matrices satisfy equation (2) 
without having to construct the actual matrices. Flannery [7] showed that M 
and N would satisfy equation (2) for t > 2 if and only if 

m = —n for 1 < z < t — 1 (3) 

where P is a forward circulant matrix with first row 



0 0 0 ••• 0 1 
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and Wi is a 2i X 2t diagonal matrix whose main diagonal is 

1 1 ... 1 _1 1 

where the last entry 1 occurs in position 2t — i. 

In the implementation, the matrices P* and Wi are pre-computed for i = 
1, . . . ,t — 1 to avoid having to construct them repeatedly for every (m, n) pair. 
The computational cost of determining whether iJ is a cocyclic Hadamard matrix 
is reduced substantially because the calculations in Equation (3) can terminate 
as soon as the equality fails at an i value. 

Flannery [7] also suggests using some symmetries to reduce the search space. 
For example, if a (m, n) pair satisfies equation (3) then the (±m, ±n) pairs also 
satisfy the condition. Moreover, a matrix developed from a (m, n) pair satisfying 
the condition is Hadamard-equivalent to that of (— m, —n). This cuts the search 
space down by half from 2^* to 2^*~^ for each 2t-tuple. 

Similar “paper-folding” symmetries in the case of {A,B,K) = (1,— 1,— 1) 
reduce the search space further to 1/8-th of the entire set of possibilities. It is easy 
to show that if the matrix which corresponds to (m, n) is Hadamard, then the 
matrices corresponding to {n,m), {—n,m), {—m,n), {—m,—n), {—n,—m), 
(n, —m) and (m, —n) will also be Hadamard. These symmetries are illustrated 
in Figure 1. For the rest of this paper, the discussion is limited to the (m,n) 
pairs in the shaded region in Figure 1. 

Despite the reduction in search space and cut-downs in computational cost, 
the number of (m, n) pairs we need to consider is still around 2^*“^. In situations 
where it may not be possible to consider all the pairs, we may need to 

choose wisely which pairs to consider. This means sampling the search space 
systematically by making an educated guess of which (m, n) pairs are likely to 
yield cocyclic Hadamard matrices. 

3 The Search Space as an Image 

This approach regards the search space as a 2^* x 2^* black and white picture 
with the black dots representing the (m, n) pairs which yield cocyclic Hadamard 
matrices. The vectors (m, n) are mapped to a pair of integer coordinates (m, n) 
by mapping the vector entries {1,-1} to {1,0} and interpreting the resulting 
binary strings as positive integers in base-2 notation. 

Figure 2 shows the resulting images for t = 5 and t = 7 in an octant of 
the search space. While a cursory glance gives the impression that the dots are 
scattered uniformly over the search space, a closer examination of the images 
indicates that the dots are more dense in certain areas, forming distinguishable 
patterns across the image, thus providing a reason for the use of image processing 
methods. 

The idea here is if the search space is too large to obtain the complete im- 
age then it can be sampled uniformly, and the (m, n) coordinates, which yield 
cocyclic Hadamard matrices, plotted. The resulting sparse plot can now be re- 
garded as a “damaged” version of the image and image-processing techniques 
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Fig. 1. The (m, n) pairs which yield cocyclic Hadamard matrices in the shaded region 
determine all the cocyclic Hadamard matrices over the entire search space. 




Fig. 2. Sample complete images for t — 5 and t — 7, respectively. Each image plots the 
(m, n) coordinates corresponding to all the {m, n) pairs which yield cocyclic Hadamard 
matrices in an octant of the search space. 



applied to “restore” the image. The restored image is therefore an attempt to 
predict the (m, n) pairs which are likely to yield cocyclic Hadamard matrices. 
The regions of interest can be identified and the search limited to those regions 
rather than the entire search space. 
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3.1 Image Restoration 

A number of image-restoration techniques are available in image processing liter- 
ature. The technique used here is an extension of the /c-nearest neighbour-based 
method proposed by Mazzola [10]. The method is adapted to approximate sparse 
point-set images. Kernel parameters are trained at smaller values of t, where a 
complete image containing all the cocyclic Hadamard matrices can be obtained. 
A brief description of the technique is presented in this section. Details of the 
development are provided in [4] . 

The technique can be described as a convolution operation as follows: 



I = S * (p 



( 4 ) 



where / is the grey-scale “restored” image, 4> is a, convolution kernel, * is the 
convolution operator, and S is the “damaged” image defined by: 



S{x,y) 



1 if (x, y) represents a cocyclic Hadamard matrix 

0 if (x, y) represents a matrix which is either not among the 
samples, or not cocyclic Hadamard 



^ ^ ( 5 ) 

S' is a black-and-white image where every black dot (i.e., a pixel value of 1) 
represents a Hadamard matrix. / is a grey-scale image, where the varying shades 
of grey represent the relative density of the dots in the corresponding region in 
S. A summary of the image restoration algorithm is as follows: 



procedure Restorelmage 
parameter k: integer; 
begin 

input S: black-and-white image; 
initialise I{x,y) := 0 'i{x,y); 

for every (m,n) such that S{m,n) = 1 do 
find k dots nearest to (m, n) in S; 

Xmn ■= the average Euclidean distance between (m, n) 
and its k nearest dots; 

Rmn •'= the 2rmn X ‘^Cmn rectangular region centered at (m,n); 
for every {x, y) in R^n do 
I{x,y) := I{x,y) -f(j){x,y); 
end for; 
end for; 

normalise pixel values of I; 
output I: grey-scale image; 
end procedure; 



The parameter k is the number of neighbouring dots to be considered, and 
depends on the average density of the dots in S. If S is sparse, then k can only 
take small values. As more cocyclic Hadamard matrices are found, the average 
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density increases, and k takes on larger values. If N is the number of matrices 
found so far, then k is estimated as follows: 

k^at-N ( 6 ) 

where at is the predicted average density of the dots in S when all cocyclic 
Hadamard matrices have been found. Known values of t and at predict that at 
decays exponentially as t increases. An exponential fit estimates an upper bound 
for at as follows: 



at ~ 0.0000574771 -h 92.5021 • (7) 

The technique described in [5] is used to find k dots nearest to (m, n) in S. 
These dots are referred to as the k-nearest neighbours of (rn,n). The size of the 
convolution window depends on rmn, the average Euclidean distance between 
the dot at {m,n) and its fc-nearest neighbours. The convolution window, Rmn, 
is determined as follows: 



Rmn = {{x,y) I m - Tjnn < X <m + Umn and n - Tmn <V <U + Tmn} (8) 



Given Rmn, the convolution operation darkens the corresponding region in / 
in a manner determined by the convolution kernel, </>. Since the aim is to attempt 
restoration of sparse point-set images, a Poisson kernel with peak response at 
(to, n) is used: 



Hx,y) 



■ r{d+l) 



(9) 



where d = X — {x — m)'^ + {y — n)^, A = -\/2 • r^n, {x, y) € Rmn, and F is the 
Euler gamma function. The values of (j) are normalised so that the sum of </> over 
Rmn is equal to 1. Figure 3 shows <j) over Rmn- 

High values of (p contribute darker shades of grey in I. The Poisson kernel 
emphasises the center of Rmn, which is at {m,n). The shades become lighter 
towards the edge of the window. As Rmn becomes large, <f> becomes more spread 
out, and the peak value at (m,n) becomes smaller. Since Rmn in sparse regions 
of S is large compared to those in dense regions of S, the resulting shades of 
grey in / correspond to the relative density of the dots in S. 

Each pixel in I is the cumulative sum of the convolution operations on the 
windows determined by the dots around that pixel. Thus, if (x, y) is surrounded 
by dots in S, then pixel I{x, y) would appear dark even if S{x, y) = 0. The pixel 
values of I are normalised so that the largest and smallest values appear as black 
and white, respectively, and those in between as degrees of grey. 



3.2 Search Method 

At the start of the search, S is obtained by sampling the search space uniformly 
until N is sufficiently large for A: to be > 1. The samples are tested using the 
fast techniques discussed in Section 2. Then, the image restoration technique is 
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Fig. 3. 4>{x, y) over Rmn 



applied on S to obtain the image I. The dark regions of / indicate the areas 
where large concentrations of cocyclic Hadamard matrices were found. Figure 
4 shows the restored image / for t = 5 as the search progressed. Note that the 
light image in Figure 4-a is an indication that N is too small, and the dots too 
spread out, for the technique to identify areas of particular interest. 

The range of the / values are partitioned into p intervals, each of length 
{I max — Imin)/p- Figure 4-e shows an example of the regions determined by the 
intervals. 

Sample points are selected uniformly (among those not yet known to be 
cocyclic Hadamard) such that each interval has an equal number of points. Since 
a Poisson kernel is used over a sparse point-set image, the total area of the regions 
with high I values can be expected to be much smaller than the total area of 
the regions with low / values. Thus, regions which correspond to high / values 
are sampled more densely than those at lower / values. The idea is to put more 
effort in searching regions around clusters of known cocyclic Hadamard matrices, 
but without neglecting the bare regions between the clusters. 

The search continues by testing the samples using the fast techniques dis- 
cussed in Section 2. As more cocyclic Hadamard matrices are found from the 
samples, S is updated and the image I is re-calculated. The search then contin- 
ues using the new I. at is used to estimate a maximum value for N. The search 
terminates as soon as N reaches that value. However, frequent re-calculation of 
/ has to be avoided as the computational cost can outweigh the benefits. 

The restored image, /, is regarded as the result obtained by using the kernel 
to evaluate the information provided by the /c-nearest neighbours. An obvious 
way to determine areas of interest using S is to have a rectangular window slide 
through the search space. As soon as the density of the dots inside the rectangle 
reaches a threshold, the area is tagged as an area of interest. Image restoration 
techniques can be thought of as a systematic way of identifying these areas. In 
the case of the image restoration technique discussed in Section 3.1, the size of 
the rectangle is adaptive, depending on the local information determined by the 
fc-nearest neighbours. The technique also approximates the likelihood of having 
values along the gaps between the dots. Rather than having a threshold over the 
density, the “levels of interest” are determined by the kernel with respect to the 
relative distances between the points. 
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(a) 6.25% found, k = 1 



(b) 12.5% found, k — 2 



(c) 25% found, fc = 4 




(d) 50% fonnd, k — 7 




(e) 50% fonnd, interval regions 




(f) 100% found, fc = 15 



Fig. 4. Figures (a) to (d) show the reconstructed image I with t — 5 as the search 
progressed. The parameter fc is estimated based on the at. Figure (e) shows the par- 
titioning of the range of I valnes into p = 5 intervals. Regions of the same shade of 
grey, including the black and the white, correspond to points belonging to the same 
interval. Figure (f) shows the full reconstructed image. 
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4 Results 

For small values of t, the techniques discussed in Section 2 were sufficient to 
perform a full search efficiently. It was observed that Equation 3 tends to fail 
early if the matrix is not cocyclic Hadamard. A full search at t = 5, for example, 
found all cocyclic Hadamard matrices in just a few seconds. Furthermore, only 
1.066% of the search space was found to be cocyclic Hadamard. The search 
method proposed in Section 3 found all these matrices without considering about 
35% of the search space. However, the additional cost of computing the images 
resulted overall in a slightly longer processing time. 

At t = 7, however, a full search would take a considerably longer time despite 
the techniques outlined in Section 2, due to the larger size of the search space 
and the increase in the dimensions of the matrices. In addition, only 0.038% 
of the search space was found to be cocyclic Hadamard. In order to apply the 
search method, the images were partitioned to manageable sizes. The method 
found all cocyclic Hadamard matrices without accessing 39% of the search space. 
The processing time was also reduced considerably despite the additional cost 
of calculating the images. 

As t becomes large, the size of the search space grows exponentially. At the 
same time. Equation 7 predicts that the fraction of cocyclic Hadamard matrices 
decreases significantly compared to the search space. This search method aims 
find that small fraction of cocyclic Hadamard matrices without going through 
the enormous set of possibilities. 



4.1 Self-dual Codes 

Obtained from Dihedral Cocyclic Hadamard Matrices 

The techniques described in Sections 2 and 3 were used to generate all Hadamard 
matrices cocyclic over D^t for t odd. Thus the Hadamard matrices used here were 
obtained differently from the ones obtained by Tonchev [11]. 

Then the following process was used to find cocyclic self-dual codes: Keep all 
matrices with the number of -|-l’s in each row congruent to either 3 (mod 4) or 
1 (mod 4). 

To produce doubly-even codes, every row with the number of -|-l’s congruent 
to 1 (mod 4) is multiplied by -1 to make the number of -|-l’s congruent to 3 
(mod 4). Next we use the [I,H] construction to generate the self-dual doubly- 
even codes. A similar strategy is used to generate the singly-even self-dual codes. 

During the search for extremal self-dual codes, we also found codes with only 
one code word of minimum weight. This interesting case was first encountered 
in the case t = 5, and only among the doubly-even codes in that case. 

In the search for self-dual codes for t = 7 we found singly-even codes with one 
codeword of minimum weight, whereas in the case t = 9 there are both singly- 
even and doubly-even codes of this type. Furthermore we found one equivalence 
class of an extremal doubly-even self-dual [56, 28,12] code and two equivalence 
classes of singly-even [56,28,10] codes. 
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The vectors M and N are given in the form of integers. The corresponding 
vectors are generated by converting the integers to binary, and then replacing 
all O’s to -I’s 

In the case of t = 7 one equivalence class of a doubly-even extremal code 
was found. The representative of the class is given below. The Hadamard matrix 
obtained here is converted into an equivalent form given by Tonchev [11] (see [1] 
for details) before being used in the {/, A} form. 



Code 


{M;N} 


\AutC\ 


[56,28,12] 


2311;6602 


58968 = 2=^ X 34 X 7 X 13 



The table below lists the codes found with partial weight enumerators in the 
form 8:1 meaning 1 codeword of weight 8. The complete weight enumerators can 
be obtained using Gleason’s Theorem [9]. 



No. 


Code 


{M;N} 


de or se 


Weight Enumerator 


1 


[40,20,4] 


700; 868 


de 


4:1, 8:309 


2 


[56,28,8] 


430; 1765 


se 


8:1, 10:248, 12:4116 


3 


[56,28,8] 


2583; 3190 


se 


8:1, 10:272, 12:4068 


4 


[56,28,8] 


3795; 7632 


se 


8:1, 10:256, 12:4100 


5 


[56,28,10] 


3487; 7250 


se 


10:284, 12:4038 


6 


[56,28,10] 


5113; 5908 


se 


10:268, 12:4070 


7 


[72,36,8] 


11916; 253733 


se 


8:1, 10:15, 12:556 


8 


[72,36,8] 


132316; 179038 


se 


8:1, 10:6, 12:722 


9 


[72,36,8] 


70627; 95888 


se 


8:1, 10:14, 12:536 


10 


[72,36,8] 


616; 94613 


de 


8:1, 12:1060 



5 Conclusion 

The fast search techniques discussed in this paper demonstrate two comple- 
menting approaches to the problem of finding self-dual codes. One approach is 
to develop techniques specific to the domain we are searching. The techniques in 
Section 2, for example, are effective but specific to the structure of O 4 i-cocyclic 
Hadamard matrices and the [/|H] construction of self-dual codes. 

The second approach is to consider a general framework based on techniques 
developed in other problem domains. Image restoration techniques have always 
been concerned with approximating the missing pixel values in a damaged pic- 
ture. We have adapted that technique to approximate the locations of missing co- 
cyclic Hadamard matrices in the search space. The framework can be applied to 
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any problem domain where the search space can be mapped to a two-dimensional 
region, and the missing points are unlikely to be uniformly distributed. 



6 Further Work 

The authors are currently working on implementing the search method in a 
distributed computing environment, such as the Parallel Parametric Modelling 
Engine [6] facility at Monash University. Although the search method can be 
useful in finding the cocyclic Hadamard matrices which can be used in the 
[J|A] construction of self-dual doubly-even and singly-even codes, identifying 
the equivalence classes remains rather tedious and time-consuming. We are yet 
to find a systematic way of doing that task more easily. 
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Abstract. We show in this article how the multi-stage encoding scheme 
proposed in [3] may be used to construct the [24, 12, 8] Golay code, and 
two extremal self-dual codes with parameters [32,16,8] and [40,20,8] 
by using an extended [8, 4, 4] Hamming base code. An extension of the 
construction of [3] over Z4 yields self-dual codes over Z4 with parame- 
ters (for the Lee metric over Z4) [24, 12, 12] and [32, 16, 12] by using the 
[8, 4, 6] octacode. Moreover, there is a natural Tanner graph associated 
to the construction of [3], and it turns out that all our constructions 
have Tanner graphs that have a cyclic structure which gives tail-biting 
trellises of low complexity: 16-state tail-biting trellises for the [24, 12, 8], 
[32,16,8], [40,20,8] binary codes, and 256-state tail-biting trellises for 
the [24, 12, 12] and [32, 16, 12] codes over Z4. 

Keywords : self-dual codes, tail-biting trellises, codes over Z4, Tanner 
graph. 



1 Introduction 

We first recall the multi-stage encoding scheme of [3]. It uses a 1/2-rate binary 
[2k, k] base code and yields a 1/2-rate [2K, K] code for any K which is a multiple 
of A:. To describe the construction we first need to choose a systematic genera- 
tor matrix (/|P) for the base code. The construction also uses £ permutations 
7Ti, 7T2, . . . , 7T£ of {1, 2, . . . , K}. The resulting [2K, K] code is obtained as follows. 

To encode a message x‘^{xi,X2, ■ ■ ■ ,xk) of length K, x is split into t'^K/k 
blocks of size k namely (61, 62, ■ ■ ■ ,ht) which are encoded by the base code to 

def 

yield the redundancy blocks /(x) = {biP, 62 P, . . . , bfP) so as to form a new bi- 
nary message of length K. Then we permute the coordinates of y^^^ with tti 
and we iterate this process to obtain fnifTTi-i . . .7 Ti/(x). The encoding 

of X will be the codeword {xi,X2, ■ ■ ■ , xk, 2/2^\ • • • j V^k)- 
is an {£ + l)-stage code. To avoid cumbersome superscripts we denote by r the 
message y^^\ 
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(c) Springer- Verlag Berlin Heidelberg 2001 
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Stage 1 



Stage 2 



Stage 3 



Xi 

X2 

X3 

X4 




n 

T2 

T3 

T4 



rg 

xk 

rii 

ru 



Fig. 1. Architecture of a 3-stage [24, 12] block code 



This construction has a few interesting features 

— The resulting code is self-dual whenever the base code is itself self-dual [4]. 
What is more, it is readily checked that if the base code is t-divisible (i.e. 
all the codeword weights are divisible by t) then the resulting code is also 
t-divisible if the number of stages is odd. This implies that if the base code is 
self-dual of type II then all the codes obtained by this construction with an 
odd number of stages are also self-dual of type II. Making the permutations 
vary over Sk gives a whole family of self-dual codes for any length which 
is a multiple of the length of the base code. It seems that many extremal 
self-dual codes can be obtained in this way when the base code is chosen to 
be the [8,4,4] self-dual extended Hamming code (see [4,5]). 

— If the number of stages goes to infinity with the length of the code and 
if the permutations are chosen at random, then these codes tend to look 
like random codes. For instance, if the short code is an extended [8,4,4] 
Hamming code and when the number of stages is large enough, then almost 
all these codes lie on the Gilbert- Varshamov bound and have a binomial 
distance distribution [11]. 

— As shown in [10], these codes have a natural iterative decoding algorithm, 
one round of decoding consists in decoding all small underlying base codes. 
However this decoding algorithm is highly sensitive to the number of stages, 
it turns out that the optimal number of stages is 3 for this iterative decoding 
algorithm [10] to work properly. 

This leads us to study what extremal codes can be obtained from this con- 
struction by using only 3 stages. Not only do we show in this article how to 
construct with only 3 stages and with the [8,4,4] Hamming code as base code, 
the [24,12,8] Golay code and two extremal [32,16,8] and [40,20,8] self-dual 
codes, but it also turns out that the constructions given in this article have an 
underlying Tanner graph with only a few cycles, which is clearly desirable for 
iterative decoding. Moreover, by choosing as base code the [8,4,6] octacode over 
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Z4, we get by using the same structure, two self-dual codes over Z4 with param- 
eters (for the Lee metric) [24, 12, 12] and [32, 16, 12] . By the Gray map these 
two codes give two non-linear binary codes of rate 1/2 of length 48 and 64 of 
distance 12. 

What is more, the Tanner graphs associated to our constructions basically 
yield minimal 16-state tail-biting trellises for the Golay code , the [32, 16,8] and 
the [40,20,8] codes. For the [48,24,12] and [64,32,12] non-linear binary codes 
obtained by the Gray map from the [24, 12, 12] and [32, 16, 12] self-dual codes 
over Z4, we also obtain a tail-biting trellis with only very few states, namely 
256. This should be compared with the 256-state tail-biting trellis obtained for 
the [48,24,12] quadratic-residue code (see [8]). 

2 The Associated Tanner Graph 

There is a natural Tanner graph associated to our construction, namely the one 

(i) 

which has for variable nodes all the xj^s, the yj s and the rj’s. We say that a 
node associated to an Xj or an rj is a symbol node, and the other variable nodes 
are state nodes. This terminology comes from the fact that the symbol nodes 
form a codeword of the overall code, and the state nodes are only auxiliary nodes 
which are needed to compute the codeword. Each check node is associated to a 
P box of the encoding process, and a variable node is associated to a check node 
if it is either an input or an output of the P box associated to it. 





>"2 

’■3 

>■4 



’■5 

’■7 

’"8 



Fig. 2. 2-stage encoding of a [16,8] code with its associated Tanner graph. 



In this article we concentrate on codes obtained from our construction using 
a base code of length 8, with only 3 stages of encoding, and which have an 
associated Tanner graph with a very simple structure : 

if two check nodes have at least one variable node in common, then they have 
exactly 2 of them. 
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It is well known how to perform optimal and efficient soft decision decoding 
on any memoryless channel when the Tanner graph of the code is cycle free [15]. 
The Tanner graphs of the codes considered in this article have cycles, however 
by grouping together two variable nodes which are adjacent to a same check 
node, we obtain a Tanner graph that has less cycles than the original one. We 
also group the symbol nodes which are associated to the same check node. From 
now on, we only deal with this “simplified” Tanner graph. 




Fig. 3. The simplified Tanner graph. 

The reason why we restricted ourselves to such codes are twofold: 

- iterative decoding with such codes performs better (the associated Tanner 
graph has less cycles), 

-we still obtain quite a few extremal self-dual codes with this restriction, and 
they naturally yield simple tail-biting trellises for our codes (see the following 
section). 

3 Extremal Type II Self-dual Codes 
of Minimum Distance 8 

3.1 Constructions 

In this section we show how to obtain with our construction several extremal self- 
dual codes of minimum distance 8. The base code is chosen to be the Hamming 
code with generator matrix 

'1 0 0 0 0 1 1 r 
0 10 0 10 11 
00101101 
00011110 

In other words {xi,X2, X3, xa)P is equal to {xl,X2^ x^^xa) if the weight of {xi,X2, 
X3 ,xa) is even and to (afi, T2, X3, X4) otherwise. 




Low Complexity Tail-Biting Trellises of Self-dual Codes 



61 



An example of a [24, 12, 8] Golay code encoder is shown below in Figure 4 : 



Stagel Stage2 StageS 




7Ti 7T2 

Fig. 4. 3-stage encoding of the [24, 12, 8] Golay code. 



7Ti maps (1, 2, 3, . . . , 12) onto (1,5,2,6,3,9,4,10,7,11,8,12), and tt 2 maps 
(1, 2, 3, . . . , 12) onto (2, 6, 1, 5, 4, 10, 3, 9, 8, 12, 7, 11). 

The associated Tanner graph has the following cyclic structure (we identify 
the check node Bq at the top with the check node Bq at the bottom) 

Actually, there are many other choices of permutations which lead to the 
Golay code, the nice feature of this choice is that, by changing the base code to 
the octacode over Z4, we obtain with the same choice of permutation a [24, 12, 12] 




(ri, r2, r3, r^) 



(rg, rio, '^11- '^ 12 ) 



(F5, rg, ry, rg) 



Fig. 5. The Tanner graph of the Golay code 
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code over Z4. It is readily checked (and this will be the issue of subsection 5.1) 
that by merging state nodes which are on the same level we obtain a new Tanner 
graph which is a cycle and which yields a 16-state tail-biting trellis. 

Two extremal [32,16,8] and [40,20,8] codes are obtained by a similar con- 
struction with Tanner graphs which have a similar necklace structure. Since all 
our Tanner graphs in our article have the same structure, let us define more 
formally a graph of this kind 

Definition 1. The necklace graph N{k) of order k is a bipartite graph with 9 
kinds of nodes : the nodes Ai,Bi,Ci, which are on one side of the hipartition 
(these nodes are check nodes) and s*,t*,M*,u* (these are the state nodes), 

(these are the symbol nodes) on the other side, for 0 < i < k — 1. Ai is adjacent 
to Bi is adjacent to y(»-i) mod adjacent 

to r\t\v\ 




Fig. 6. One link of the necklace 



The Tanner graph of the Golay code is nothing else but N{3). 

The [32, 16,8] cps5 code encoder is given by the two identical permutations 
7Ti and 7T2 maping the ordered integer set (1,2,3, ..., 16) onto 

(1,5, 2, 6, 3, 9, 4, 10, 7, 13, 8, 14, 11, 15, 12, 16). 

Its Tanner graph is 1V(4). 

An example of a [40, 20, 8] type-II self-dual extremal code encoder is given 
by the two identical permutations tti and 7T2 maping the ordered integer set 
(1, 2, 3, ..., 20) onto (1, 5, 2, 6, 3, 9, 4, 10, 7, 13, 8, 14, 11, 17, 12, 18, 15, 19, 16, 20). 
The associated Tanner graph is N{5). 

3.2 Proving That the Minimum Distance Is 8 

To obtain the aforementioned bound on the minimum distance, we consider a 
non-zero codeword and the corresponding values taken at the variable nodes 

- the values of the symbol nodes are given by the coordinates of the codeword, 

- the values of the state nodes are given by the encoding process explained in 
the introduction. Note the following fundamental property which holds for every 
check node of the Tanner graphs of our codes: 
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(PI) The binary word of length 8 formed by the the values taken at the symbol 
or state nodes adjacent to a check node belong to the [8,4,4] extended Hamming 
code. 

When this binary word of length 8 is not equal to the zero word, we say that 
the corresponding check node sees a non-zero Hamming codeword around it. We 
also say that a state (or symbol) node carries weight a, iff the value taken at 
the corresponding node has weight a. 

The fact that all the codes which are obtained in this way have minimum 
distance greater than or equal to 8, is a consequence of the fact that all the 
permutations have been chosen such that the two following properties hold 
(P2) The Tanner graph of our codes is a necklace graph of order k > 3. State 
nodes carry values over {0, 1}^, symbol nodes carry values over {0, 1}^. 

(P3) Whenever a check node of degree 4 (that is a check node which is adjacent 
to exactly 4 nodes which are actually state nodes) sees a non-zero Hamming 
codeword around it, then at least three of its adjacent nodes carry non-zero values. 

It is straightforward to check that, for a code which has a Tanner graph which 
satisfies (PI) and (P2), (P3) is necessary to ensure that the minimum distance 
is greater than 4. It turns out that if the Tanner graph meets all these properties 
(P1),(P2),(P3), then the resulting code has minimum distance at least 8. This 
is a straightforward consequence of the two following facts 

Fact 1 To check that the minimum distance is greater than or equal to 8, it is 
sufficient to check that there is no weight 4 codeword. 

This is a consequence of the more general fact that all the self-dual codes 
constructed with an odd number of stages with our construction by using the 
self-dual [8,4,4] Hamming code are self-dual of type II, see [4]. 

Fact 2 If a symbol node has weight I, then the 2 other state nodes adjacent to 
the same check node carry also non-zero values. 

This comes from the fact that if the Hamming weight of a symbol node is 1, 
then the sum of the weights of the 2 state nodes which are adjacent to the same 
check node is 3. 

We are ready now to prove that the codes which have a Tanner graph satisfy- 
ing properties (P1),(P2),(P3) have minimum distance at least 8. We distinguish 
between two different cases. 

Case 1 : only one check node of degree 4 (in other words a node of type B, 
what we denote by ) sees a non-zero Hamming codeword around it. There 
are 2 possibilities 

- either the 4 state nodes adjacent to it carry weight 2, this implies that the 4 
symbol nodes which are at distance 3 from this check node (i.e x*, 

r(*“i) ^ ) have Hamming weight 2. In other words the weight of the codeword 

is at least 24-2-1-2-1-2 = 8 in this case. 

- or at least two of the non-zero state nodes adjacent to this check node carry 
weight 1, this means that the two check nodes of degree 3 adjacent to these 
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2 state nodes are adjacent to a symbol node which has weight 3 (since these 
2 check nodes are both adjacent to three nodes : one state node of weight 1, 
another state node of weight 0 by hypothesis, and a symbol node which has to 
be of weight 3 because the values taken at these 3 nodes should form a codeword 
of the [8,4,4] extended Hamming code). In other words, we have a codeword of 
weight at least 3 + 3 = 6 and therefore of weight at least 8 by Fact 1. 

Case 2 : at least two check nodes of degree 4 see non-zero Hamming codewords 
around them. From property (P3) we know that there are at least 4 symbol 
nodes which are at distance 3 from these two check nodes which are non-zero. 
Assume that all these 4 symbol nodes have Hamming weight 1 (otherwise we are 
done by Fact 1), then all are adjacent to a check node for which the two other 
state nodes adjacent to it are non-zero (Fact 2). Notice now that at least one of 
these non-zero state nodes is adjacent to a third check node of degree 4 ^ which 
has to see a non-zero codeword around it too. By using property (P3) again for 
this check node we obtain a new symbol node which is non-zero. This gives at 
least 5 non-zero symbol nodes, and yields a codeword of weight at least 5, and 
therefore of weight at least 8 by Fact 1. 

4 Self-dual Z 4 Codes with Minimum Distance 12 

The short base code is chosen to be the [8, 4, 6] octacode with generator matrix 

■1 0 0 0 2 1 3 1' 

01003211 

00101321 

00011112 

It turns out that the same choice of permutations which has given the Golay 
code in Section 3 also works here to give a [24, 12] code with minimum (Lee) 
distance 12. This code is also self-dual. There are many ways to check this 
last fact. One may notice that the Tanner graph associated to it is normal [6] 
(the symbol nodes have degree 1 and the state nodes have degree 2) and all 
the constraints at the check nodes are self-dual (see [6]), therefore from [6] the 
associated code is self-dual. Note that this Tanner graph is the necklace graph 

^( 3 ). 

The fact that the minimum distance is 12, follows from a reasoning which is 
similar to the the one given in the previous section, but it is unfortunately too 
long to be included here. It will be included in an extended version of this paper. 
One can also use the method which is sketched in subsection 5.2 to calculate the 
weight enumerator polynomial to prove this fact. 

A [32, 16, 12] self-dual code over Z4 is also obtained from the octacode with 

7Ti(1,2,3, ..., 16) = (1,5, 2, 6, 3, 9, 4, 10,7, 13,8, 14, 11, 15, 12, 16) 

7T2(1, 2, 3, ..., 16) = (2, 6, 1, 5, 4, 10, 3, 9, 8, 14, 7, 13, 12, 16, 11, 15) 

^ Note that it is here that we need at least three check nodes of degree 4, so that the 
order of our necklace graphs has to be at least 3. 
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5 Conclusion 

5.1 Construction of Tail-Biting Trellises of Low Complexity 

This construction can be easily put into the form of a tail-biting trellis by merging 
the nodes of the same type on the same level, i.e Ai is merged with C, x* is 
merged with s* is merged with t*, and u* is merged with v'‘ . The resulting 
Tanner graph is a cyclic chain : this leads to a tail-biting trellis as can be readily 
checked from the definition of a tail-biting trellis given for instance in [2]. For the 
codes of distance 8 that we have constructed in this article, the number of values 
which can be taken at the new state nodes, that is 4 x 4 = 16, gives the state 
complexity of the tail-biting trellis. From Proposition 6 in [2] we know that the 
state complexity of any linear tail-biting trellis of a rate 1/2 binary code with 
minimum distance 8 is at least 16 : this implies that our tail-biting trellises are 
minimal with respect to the state complexity. 

For the codes of distance 12 that we have constructed, the state complexity 
is 256. We do not know any bound which would show that this state complexity 
is minimal, however this state complexity is the same as the state complexity of 
the tail-biting trellis of the [48,24,12] quadratic residue code found by Kotter 
and Vardy [8]. 

5.2 Computing the Weight Enumerator Polynomial 

It is well known how to compute the weight enumerator of a code which has a 
Tanner graph which is a tree [1] (this contains as a special case the computation 
of the weight enumerator of a code from its trellis). In our case we have codes 
which have Tanner graphs which are cycles (when we merge the nodes as ex- 
plained in the previous subsection). A slight generalization (see [8] for instance) 
of this aforementioned method works in our case, and we obtain the well known 
weight enumerator polynomial W(Z) = 1-1- 759Z^ + 2576Z^^ -I- 759Z^^ + Z^"^ of 
the Golay code. 

5.3 Iterative Decoding 

The Tanner graphs that we have constructed also allow to perform sub-optimal 
iterative decoding by either the min-sum algorithm or the sum-product algorithm 
[15]. For tail-biting trellises (i.e Tanner graphs which are cycles, which is the 
case for our Tanner graphs, when we merge the state nodes which are on the 
same level) such iterative decoding algorithms achieve near-maximum-likelihood 
performance with only moderate performance [12] and have only very moderate 
complexity. 
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Abstract. Codes over Fqm that form vector spaces over Fq are called 
Fq-Iinear codes over Fqm. Among these we consider only cyclic codes 
and call them _Fq-linear cyclic codes {FqLC codes) over Fqm. This class 
of codes includes as special cases (i) group cyclic codes over elementary 
abelian groups {q — p, a. prime), (ii) subspace subcodes of Reed-Solomon 
codes and (iii) linear cyclic codes over Fq (m=l). Transform domain char- 
acterization of FqLC codes is obtained using Discrete Fourier Transform 
(DFT) over an extension field of Fqm. We show how one can use this 
transform domain structures to estimate a minimum distance bound for 
the corresponding quasicyclic code by BCH-like argument. 



1 Introduction 

A code over Fqm (q is a power of a prime) is called linear if it is a vector space 
over Fqm. We consider FqLC codes over F^m, i.e., codes which are cyclic and form 
vector spaces over Fq. The class of FqLC codes includes the following classes of 
codes as special cases: 

1. Group cyclic codes over elementary abelian groups: When q = p the 
class of FpLC codes becomes group cyclic codes over an elementary abelian 
group G™ (a direct product of m cyclic groups of order p) . A length n group 
code over a group G is a subgroup of G" under componentwise operation. 
Group codes constitute an important ingredient in the construction of ge- 
ometrically uniform codes [4]. Hamming distance properties of group codes 
over abelian groups is closely connected to the Hamming distance properties 
of codes over subgroups that are elementary abelian [5]. Group cyclic codes 
over G™ have been studied and applied to block coded modulation schemes 
with phase shift keying [8]. It is known [13], [19] that group cyclic codes over 
G™ contain MDS codes that are not linear over Fpm. 

2. SSRS codes: With n = g"* — 1, the class of FqLC codes includes the 
subspace subcodes of Reed-Solomon (SSRS) codes [7], which contain codes 
with larger number of codewords than any previously known code for some 
lengths and minimum distances. 

* This work was partly supported by CSIR, India, through Research Grant 
(22(0298)/99/EMR-II) to B. S. Rajan 

S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 67-76, 2001. 
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3. Linear cyclic codes over finite fields: Obviously, with m = 1, the FqLC 

codes are the extensively studied class of linear cyclic codes. 

A code is m-quasicyclic if cyclic shift of components of every codeword by m 
positions gives another codeword [11]. If {/3 q, /3i, • • • , fim-i} is a A^-basis of 
then any vector (oq, Oi, • • • , a„_i) € can be seen with respect to this basis 

as (uo,0 5 ^0,1 7 * * * j ^0,m— 1 5***5 ^n—1,0 5 1,1 5***5 l,m — 1 ) , where Uj — 

This gives a 1-1 correspondence between the class of FqLC codes 
of length n over Fqm and the class of m-quasicyclic codes of length mn over Fq. 
Unlike in [3], which considers {nm, q) = I, FqLC codes gives rise to m-quasicyclic 
codes of length mn with (n, q) = 1. 

It is well known [1], [14] that cyclic codes over Fq and over the residue class 
integer rings Zm are characterizable in the transform domain using Discrete 
Fourier Transform (DFT) over appropriate Galois fields and Galois rings [12] 
respectively and so are the wider class of abelian codes over Fq and Zm us- 
ing a generalized DFT [15], [16]. The transform domain description of codes is 
useful for encoding and decoding [1],[17]. DFT approach for cyclic codes of arbi- 
trary length is discussed in [6]. In this correspondence, we obtain DFT domain 
characterization of FqLC codes over Fqm using the notions of certain invariant 
subspaces of extension fields of Fqm , two different kinds of cyclotomic cosets and 
linearized polynomials. 

The proofs of all the theorems and lemmas are omitted due to space limita- 
tions. 



2 Preliminaries 

Suppose a = (oq, oi, • • • , a„-i) € F^m, where (n, q) = 1. From now on, r will de- 
note the smallest positive integer such that nKg’"’’ — 1) and a € Fqmr an element 
of multiplicative order n. The set {0, 1, • • • , n— 1} will be denoted by The Dis- 
crete Fourier Transform (DFT) of a is defined to be A = (Aq, Ai, • • • , A„_i) G 
Fqmr, where Aj — , j ^ In- Aj is called the j-th DFT coefficient 

or the j-th transform component of a. The vectors a and A will be referred as 
time-domain vector and the corresponding transform vector respectively. 

For any j € the q-cyclotomic coset modulo n of j is defined as 
[j]n = {* G In\j = iq* mod n for some t > 0}, and the (7™-cyclotomic coset 
modulo n of j is defined as [j]* = {i G /„|j = tg*”* mod n for some t > 0}. 

We’ll denote the cardinalities of [j]* and [j]^ as Cj and rj respectively. 

Example 1. Table 1 shows [j]ll, [j]ll and [j]fg for j e /15. 

Mostly we’ll have n for the modulus. So we’ll drop the modulus when not 
necessary. Glearly, a g-cyclotomic coset is a disjoint union of some g^-cyclotomic 
cosets. If J C we write [J]l = U^gj [j]® and [J]« = Uj^j [j]l . 

If b is the cyclically shifted version of a, then Bj = Aj for j G In- This is 
the cyclic shift property of DFT. The DFT components satisfy conjugacy 
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Table 1. Cyclotomic cosets modulo 15 



2/2'^-cycl. cosets 


{0} 


{1,2, 4,8} 


{3,6,9,12} 


{5,10} 


{7,13,11,14} 


cardinality 


1 


4 


4 


2 


4 


2^-cycl. cosets 


{0} 


{1,4} 


{2,8} 


{3,12} 


{6,9} 


{5}|{10} 


{7, 13} 


{14,11} 


cardinality 


1 


2 


2 


2 


2 


2 


2 


2 


2"‘-cycl. cosets 


{0} 


{1} 


{2} 


{4} 


{8} 


{3} 


{6} 


{9} 


{12} 


{5} 


{10} 


{7} 


{13} 


{11} 


{14} 


cardinality 


1 


1 


1 


1 


1 


1 


1 


1 


1 


1 


1 


1 


1 


1 


1 



constraint [1], given by niod n ~ conjugacy constraint relates 

the transform components in same g^-cyclotomic coset. 

Let /i, / 2 , • • • , /; be some disjoint subsets of /„ and suppose \ 

a G C} for j = 1, 2, • • • , 1. The sets of transform components {Ai\i G Ij}-, 1 < 

j < I are called unrelated for C if { {{Ai).^j^ , |a G C} = 

X i?/2 X • • • X i?/, . 

For a code C, we say, Aj takes values from {X^r=m «*^ai|a G C} C Fqmr. For 
linear cyclic codes, Aj takes values from {0} or and transform components 

in different g"‘-cyclotomiccosets are unrelated. 

For any element s G Fgi, the set [s]* = {s, s®, , • • • , s‘>‘ }, where e is the 

smallest positive integer such that = s, is called the g-conjugacy class of s. 
Note that, if a G F^i is of order n and s = , then there is an 1-1 correspondence 

between [j]^ and [s]*, namely jq^ !->■ s®*. So, |[s]'^| = |[j]*| = ej. 

For any element s G F^i, an F^-subspace U of F^i is called s-invariant (or 
[s, g]-subspace in short) if sU = U. An [s, gj-subspace of F^i is called minimal if it 
contains no proper [s, (j] -subspace. If U and V are two [s, g]-subspaces of F^i, then 
so are UdV and U + V. If e is the exponent of [s]^, then SpanFg{s^\i > 0} ~ Fqe. 
So, for any g G Fqi\{0}, the minimal [s, g]-subspace containing g is gFqe. Clearly, 
if s' G [s]*, then [s, g] -subspaces and [s', q] -subspaces are same. 

Example 2. The minimal [a^,2] and [o;^°, 2]-subspaces of F 24 are Vi = F 4 = 
{ 0 , l,a®,a^°}, F 2 = «F 4 , Fa = a^Fi, F 4 = a^Fi, Vs = a^Fi. The [a'=,2]- 
subspaces, for k yf 0,5,10 are {0} and Fie. Every subset {0,a: G Fig} is a 
minimal [a^, 2]-subspace. 

3 Transform Domain Characterization of FqLC Codes 

By the cyclic shift property, in an FqLC code C, the values of Aj constitute an 
[a^ , gj-subspace of Fqmr. However, this is not sufficient for C to be an FqLC code. 

Example 3. Consider length 15, F 2 -linear codes over Fie = {0, ‘ 

We have g = 2,m = 4 and r = 1. In Table 2, the code C 3 is not cyclic, though 
each transform component takes values from appropriate invariant subspaces. 
Other five codes in the same table are F 2 LC codes. As DFT kernel, we have 
taken a primitive element a G Fig with minimal polynomial X'^ + A + 1. 
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The characterization of FqLC codes is in terms of certain decompositions of 
the codes. In the following subsection, we discuss the decomposition of FqLC 
codes and in Subsection 3.2 present the characterization. 

3.1 Decomposition of FqLC Codes 

We start from the following notion of minimal generating set of subcodes for 
Fq-linear codes. 

A set of Tlj-linear subcodes {Ca|A € A} of a Fq-linear code C is said to 
be a generating set of subcodes if C = S\^aC\. A generating set of subcodes 
{Ca|A G A} of C is called a minimal generating set of subcodes (MGSS) if 
F\^\'C\ yf C for all A' G A. MGSS of an Tlj-linear code is not unique. For exam- 
ple, consider the length 3 F 2 -linear code over 1 ^ 22 , C = {ci = (00, 00, 00), C 2 = 
(01, 01, 01), C 3 = (10, 10, 10), C 4 = (11, 11, 11)}. The sets of subcodes {{ci, C 2 }, 
{cijCa}} and {{ci, C 2 }, {ci, C 4 }} are both MGSS for C. 

Suppose Aj takes values from V C Fqmr, V yf {0} for an F,j-linear code C. 
Let Vi be an A^-subspace of Fqmr.We call C' = {a|a G C,Aj G Vij as the Fq- 
linear subcode obtained by restricting Aj in V\. For example, the subcode Ci of 
Table 2 can be obtained from C 4 by restricting A 5 to {0}. Glearly, if C is cyclic 
and Vi is an [a-’ , g]-subspace, then C' is also cyclic. If S' C then the subcode 
obtained by restricting the transform components Aj; j ^ S to 0 is called the 
S-subcode of C and is denoted as C 5 . 

Lemma 1. Suppose in an Fq-linear code C, Aj takes values from a subspace 

V G Fqmr. Let Vi,V2 C M he two sub spaces ofV such that G = V1-I-V2. (i) If C\ 
andC 2 are the subcodes ofC, obtained by restricting Aj in Vi and V2 respectively, 
then C = Cl + C 2 - (ii) If Vi and V 2 are [aC q\-suhspaces, then C is cyclic if and 
only if Cl and C 2 are cyclic. 

Suppose for an Fg-linear code C, Aj takes values from a nonzero Fg-subspace 

V of Fqmr, and V intersects with more than one minimal [a^, gj-subspace. Then, 
we have two nonzero [a A <7] -subspaces V} and V 2 such that V C Vi (B V 2 and 
y n Vi ^ (j) and y n V 2 7 ^ </>• Then, we can decompose the code as the sum of two 
smaller codes Ci and C 2 obtained by restricting Aj to yi and y 2 respectively, 
i.e., C = Ci+ C 2 . So by successively doing this for each j, we can decompose C 
into a generating set of subcodes, in each of which, for any j G In, transform 
component Aj takes values from a Fg-subspace of a minimal [aA qj-subspace. In 
particular, if the original code was an FqLC code, all the subcodes obtained this 
way will have Aj from minimal [a^ , <7] -subspaces. The following are immediate 
consequences of this observation and Lemma 1. 

1. In a minimal FqLC code, any nonzero transform component Aj takes values 
from a minimal [a-' , gj-subspace of Fqmr. For example, for the codes Ci and 
C 2 in Table 2, A 5 and Aio take values from minimal [a®, 2]-subspaces. 

2. A code is FqLC if and only if all the subcodes obtained by restricting any 
nonzero transform component Aj in minimal [a-^, gj-subspaces of Fq mr cirG 
FqLC. The statement is also true without the word ’minimal’. 
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Suppose in an F^-linear code C, transform components Aj, j G /„ take values 
from Fq -subspaces Vj of Fqmr. A set of transform components {Ai\l G L C /„} 
is called a maximal set of unrelated components (MSUC) if they are 
unrelated for C and any other transform component A^, k ^ L can be expressed 
as Ak = ^kiAi such that au is an Fg-homomorphism of Vi into Vk- 

If some disjoint sets of transform components are unrelated in two codes C' 
and C” , then so is true for the code C + C" . However, the converse is not true. 
For instance, for the codes Co and Ci in Table 2, A 5 and Aio are related but 
they are unrelated for the sum C 4 = Cq + Ci. 

Theorem 1. IfC is an FgLC code over Fgm where any nonzero transform com- 
ponent Aj takes values from a minimal [a^ ,q\-suhspace Vj of Fqmr ^ then there is 
an MSUC {Ai\l G L C In} forC. 

Clearly, for a code as described in Theorem 1, if Z G L, the code C; = {a G 
C\Aj = 0 for j G F\ {?}} is a minimal FqLC code. So C can be decomposed into 
an MGSS as C = (Bie lC- Since any code can be decomposed into a minimal gen- 
erating set of subcodes with nonzero transform components taking values from 
minimal invariant subspaces by restricting the components to minimal invariant 
subspaces, a minimal generating set of minimal FqLC subcodes can be obtained 
by further decomposing each of the subcodes as above. So, we have. 

Theorem 2. Any FqLC code can he decomposed as direct sum of minimal FqLC 
codes. 

Suppose, in an FqLC code, Aj and Ak take values from the [a A g] -subspace 
Vi and [a^, gj-subspace V 2 respectively. Suppose Ak is related to Aj by an Fq 
homomorphism a \ V\ ^ V2 i.e. Ak = a{Aj). Then, since the code is cyclic, 

a{a^v) = a^a{v) V v GV\. (1) 

Clearly, for such a homomorphism, Ker{a) is an [a^, g]-subspace. 

Lemma 2. Let C he an FqLC code over Fqm where each nonzero transform 
component Aj takes values from a minimal [aCq\-suhspace of Fq mr , If Ak = 
where Aj^, i = 1,2, take values freely from some respective 
minimal invariant suhspaces, then Gj^, i = 1, 2, • • • , t are all Fq-isomorphisms. 

3.2 Transform Characterization 

The following theorem characterizes FqLC codes in the DFT domain. 

Theorem 3. Let C C Fqm he an n-length Fq-linear code over Fqm Then, C is 
FqLC if and only if all the subcodes of an MCSS obtained by restricting the 
transform components to minimal invariant subspaces satisfy the conditions: 

1. For all j G the set of transform components is aUinvariant. 

2. There is an MSUC {Aj\j G J} where Aj takes values from a minimal [aV q]- 
subspace Vj and Ak = ^j^j f^kjAj for all k ^ J, where Gkj is an Fq -isomorphism 
of Vj onto Vk satisfying 

akj(a^v) = a'^akjiv) Wv GVj. (2) 
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Example 4- In Table 2, the codes obtained by restricting Ai^ to V 5 and Vi for 
the code C5 are respectively Co and C2. In both Co and C2, the nonzero transform 
components and Aio take values from minimal [0^,2] invariant subspaces 
and sum of Co and C2 is C5. So, {Co^C^.} is an MGSS of C5. In both Co and C2, A^ 
and ylio are related by isomorphisms. It can be checked that the isomorphisms 
satisfy the condition (2). 

Since for an FqLC code, transform components can be related by homomor- 
phisms satisfying (1), we characterize such homomorphisms in Section 4. We 
also show that for FqLC codes, Aj and can be related iff A: € [j]® . 

4 Connecting Homomorphisms for FqLC Codes 

Throughout the section an endomorphism will mean an Fg-endomorphism. 

A polynomial of the form f{X) — G Fqi [A] is called a q- 

polynomial or a linearized polynomial [10] over Fqi. Each g-polynomial 
of degree less than induces a distinct -linear map of Fqi. So, consider- 
ing the identical cardinalities, we have Endp^iFqi) = {cr/ : x f{x)\f{X) = 
EtUiXo' ^ Fql[X]} 

For any y G Fqi \ {0}, the automorphism induced by /(A) = yX will be de- 
noted by ay. The subset {cr^ |y G Cjj \{0}} forms a cyclic subgroup of Autp^ (Cji )> 
generated by ct /3 , , where (3qi G Fqi is a primitive element of Fqi . In this sub- 
group, (T* = ayi. We shall denote this subgroup as Sq^i and Sq^i U {0} as 
where 0 denotes the zero map. Clearly, Sq^i forms a field isomorphic to Fqi . 

We shall denote the map axi ■ y ^ y'^ oi Fqi onto Fqi, induced by the 
polynomial /(A) = A«, as Oq^i. Clearly, 9q^ia,^ = a% 6 q^i i.e., 0q^ia,^6~j = cr« for 
all X & Fqi. The map induced by the polynomial /(A) = A"^ is 0* ;. So, for any 

f{X) = X)i=o cr/ = Thus we have Endp.iFqi) = 

i.e., any endomorphism a G EndpgiFqi) can be decomposed uniquely as cr = 
X^i=oCr(i) where CT(q G Sg/0*;. We shall call this decomposition as canonical 
decomposition of a. 

Theorem 4. Suppose xi,X 2 G Fqi. Then, [x\Y = [X 2 Y ^ 3cr G AutpgiFqi) 
such that a{xix) = X 2 a{x) \/x G Fqi . 



Lemma 3 . Let Vi C Fqi be a minimal [xi,q]-subspace and a : Vi — > Fqi be a 
nonzero homomorphism of Vi into Fqi, satisfying a{xiv) = X2a(v) V v G Vi. 
Then [a;i]* = [^2]^. 



Theorem 5 . Suppose xi,X2 G Fqi. Let Vi C Fqi be a [xi,q\-subspace and a is 
as in Lemma 3 . Then (i) [xij* = [x2Y‘ and (ii) cr(V2) is a [xi,q]-subspace for 
any [xi,q\-subspace V2 C Vi. 
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Theorem 6. In an FqLC code, the transform components of different q- cyclo- 
tomic cosets are mutually unrelated. 

Corollary 1. Any minimal FqLC code takes nonzero values only in one q- 
cyclotomic coset in transform domain and any minimal FqLC code which has 
nonzero transform components in [j]f has size q^C 

So, if Ji, J2, • • • , Jt are the distinct (7-cyclotomic cosets of then any FqLC 
code C can be decomposed as C = Corresponding m-quasi-cyclic codes 

are called primary components [ 9 ] or irreducible components [ 2 ]. If a G F^m, 
then the intersection of all the FqLC codes containing a is called the FqLC code 
generated by a. We call such FqLC codes as one-generator FqLC codes. Clearly, 
For a one-generator FqLC code C, each component Cj. is minimal. 

Suppose Vi and V2 are two subspaces of Fqi . Suppose y G Fqi such that Vi is 
y-invariant and t is a nonnegative integer. Then, we define Hompg (Vi, V2, y, i) = 

|(j G HomF^(yi,V2)\ayx = y‘^'ax , Vx G Vi|. Clearly, HomFq{Vi,V2,y,i) is a 

subspace of HomFq{Vi,V2). Since y'?'’'’'” = yi\ we shall always assume i < Cy. 
We are interested in HomFg (Ci, V2, y, i) since, if for an FqLC code, Aj G Vi and 
Ajqi G V2, then Aj and Ajqi can be related by a homomorphism cr : hd — >■ V2 if 
and only if <t G HomFq{Vi,V2,of ,i). 

Theorem 7 . Any a G HomFq{xiFqey ,X2Fq‘y ,y,l) is induced by a polynomial 
f{X) = cX'^ for some unique constant c G X2xf^Fq‘y . 

For y = aC this theorem specifies all possible homomorphisms by which Ajqi 
can be related to Aj for an FqLC code when Aj takes values from a minimal 
, <7]-subspace. 

Example 5 . Clearly, in the codes Cq and C2 in Table 2 , A5 is related to Aio by 
homomorphisms. Suppose A^ = af(Ain) where f(X) is a q-polynomial over F„i. 
For Co, f{X) = 08^2 and for C2, f{X) = aX"^. 

The following theorem specifies the possible relating homomorphisms when 
Aj takes values from a nonminimal [a-^, q] -subspace. 

Theorem 8. Suppose V C Fqi is a [y,q]-subspace and V = ©*CoV} where Vj 
are minimal [y,q\- sub spaces. Then, for any a G HomFq{V, Fqi,y,i), there is 
a unique polynomial of the form f{X) = X)j=o ^ ^g‘ such that 

a = cTf. So, HomFq{V,Fqi,y,i) = {af\f{X) = E 5 =o ^ ^9'} 

So, if G [k]^ and Ak is related to Aj.^,---,Aj^ by homomor- 

phisms i.e., if Ak = ai{Aj„) + • • • + ay,{Aj^), where CTi, ■ ■ ■ are homomor- 

phisms, then the relation can be expressed as Ak = ^ 

^'^,h„Aj^ , where k = mod n for i = 1, • • • , w. 

Example 6. In the code C5 in Table 2 , A^ is related to Aiq by a homomorphism 
induced by the polynomial f{X) = a^^X^ + 
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5 Parity Check Matrix and Minimum Distance 
of Quasicyclic Codes 



For linear codes, Tanner used BCH like argument [18] to estimate minimum 
distance bounds from the parity check equations over an extension field. 

With respect to any basis of there is a 1-1 correspondence between 
n-length FqLC codes and m-quasi-cyclic codes of length nm over Fq. Here we 
describe how in some cases one can directly get a set of parity check equations 
of a quasi-cyclic code from the transform domain structure of the corresponding 
FqLC code. We first give a theorem from [3] for the distance bound. 

Theorem 9. [3] Suppose, the components of the vector v € Fffr are nonzero 
and distinct. If for each k = ko, ki, ■ ■ ■ , ks- 2 , the vectors v* are in the span of a 
set of parity check equations over Fqr, then the minimum distance of the code is 
at least that of the cyclic code of length g’’ — 1 with roots (3^ , k = ko,ki, - ■ ■ , ks -2 
where P is a primitive element of Fqr . 

So, If ki = ko + i, BCH bound gives dmin > S. 

Let us fix a basis {Po, Pi, - ■ ■ , Pm-i} of Fqm over Fq. By our characterization 
of FqLC codes in DFT domain, we know that for any j € [0, n — 1], Aj can take 
values from any [aP g]-subspace of Fqrmj . In particular, Aj can take values from 
subspaces of the form c~^Fqi where Cj\l and l\mvj. Then, 

( n— 1 \ ^ n— 1 

c ai j = c ai 

J 

( n—1 m—1 \ ^ n— 1 m—1 

c ^ a*-’ ^ aixPx j =0^0*-’^ ttixPx- 

i —0 x—0 / i—0 x—0 



This gives a parity check vector h = 

{It- 0,0, hop, ■ ■ ■ , ho^m-l, ■ ■ ■ , hn- 1 , 0 , ■ ■ ■ , hn-l.m-l) with hi^x = 

_ cd^i p ^ . If Aj = 0, it gives a parity check vector h with hi^x = Px- 
Now, for FqLC code, A^ can be related to several other transform com- 



ponents , Aj^ ,---,A 

= ELyincu.M?: 



Ak 

^i.hi 



.j^ by homomorphisms, where ji,* 
+ ■ ■ ■ + Ey =0 ^w,h„,Aj^ 



-,jw G [k\f. Then, 
for some constants 



mr , It can be checked in the same way that, this gives a parity check 



vector h with hi^x = Pxod^ ~ E^Jo 

The component wise conjugate vectors of the parity check vectors obtained 
in these ways and the vectors in their span are also parity check vectors of 
the code. However, in general for any FqLC code, the components may not be 
related simply by homomorphisms or components may not take values from the 
subspaces of the form c~^Fqi. In those cases, the parity check vectors obtained 
in the above ways may not specify the code completely. But still those equations 
can be used for estimating a minimum distance bound by Theorem 9. 



a 
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Since the DFT components in different g-cyclotomic cosets modulo n are 
unrelated, the set of parity check equations over Fqmr are union of the check 
equations corresponding to each g-cyclotomic coset modulo n. Clearly, for any 
one generator code, a set of parity check vectors completely specifying the code 
can be obtained in this way. There are however other codes for which complete 
set of parity check vectors can be derived. In fact, codes can be constructed by 
imposing simple transform domain restrictions and thus allowing derivations of 
a complete set of parity check equations over Fqmr-. We illustrate this with the 

^mr _ ^ 

following example. If /3 is a primitive element of Fqmr, then we use a = (3 s 
as the DFT kernel and we take the basis {1, /3, • • • , 



Example 1. We consider the FiLC code of length n = 3 over F 24 given by 
the transform domain restrictions Aq = 0 and A 2 = + (3^^A\. With 

the chosen basis, these two restrictions give the parity check vectors of the 
underlying 4-quasi-cyclic code = (l, /3, /3^, /3^, 1, /3, /3^, 1, /?, /3^, /3^) and 
h( 2 ) = respectively. Component- 

wise conjugates of these vectors are also parity check vectors. Moreover, h( 2 )^ = 



(/39, 1, /36, /?3, /?9, 1, /?3, /39, 1, /?3) = ;3h(i) + /38h(i)" + + h(D® and 

= (1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) = + /37h(i)2 + /3l5h(i)4 + /3l3h(,)8. 



h(2)° 



So, the underlying quasi-cyclic code is a [12,4,6] code. This code is actually 
same as the [12,4,6] code discussed in [18]. 



Table 2. Few Length 15 F 2 -Linear Codes over Fie 

[Only nonzero transform components are shown. The elements of Fie ^^re represented 
by the corresponding power of the primitive element and 0 is represented by -1.] 
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Abstract. The Projective Reed-Muller codes (PRM codes) were intro- 
duced by G. Lachaud [4] in 1988. A change in the choice of the set of 
representatives of the projective space gives two PRM codes that are 
not equivalent by permutation. In this paper, we present some criteria in 
the choice of the set of representatives to construct cyclic or quasi-cyclic 
PRM codes. 

Key words: projective Reed-Muller codes, quasi-cyclic codes, projective 
linear group. 



1 Introduction 

The Projective Reed-Muller codes are obtained by evaluating the homogeneous 
polynomials of degree j/ on a set of representatives of the projective space Pm- 
They are studied in many papers [4, 5, 3, 6], in particular their parameters are 
known. 

In [4], G. Lachaud constructs the set of representatives of Pm using the 
lexicographic order. He explains that a change of the set of representatives gives 
two codes equivalent by automorphism (in fact, by scalars multiplications on 
each component), but these codes are not permutation-equivalent. In [3], A. 
Sorensen constructs some cyclic PRM codes. 

In this paper we give a general criteria on the set of representatives to con- 
struct a PRM code invariant under a permutation chosen in the Projective Lin- 
ear Group. Then we apply this result to give some conditions to be cyclic or 
quasi-cyclic. 

2 Preliminaries 

Let Fq be the finite field with q elements, where q = p'" is a, power of the prime 
p. Let Fqm be an extension of degree m of F^. 

Let Vm be the vector space of dimension m over F^ and Pm be the associate 
projective space (the set of all linear lines over Vm)- Set n = 

Let Fq[Ai, • • • , Xm] the set of polynomials with m indeterminates over F^, 
Ai, be the subset of Fg[Ai, • • • ,Xm] generated by homogeneous polynomials of 
degree v. 
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Definition 1. Let S = {Si, . . . , S'„), Si € he a system of representatives of 
the projective space Pm- The projective Reed- Muller code PRMi, of order v, of 
length n, associated to S is the vector space 



{{f{Si),...,f{S^))\ feA,} 

The parameters of PRM codes are known (cf. [4,3]): 
the length of PRMy is n = {q™ — l)/(g — 1), 

the dimension is K = E*.. „.od (,-i).o<r<. (^ 7=0 (7) 

and the minimum distance is d,^ = {q — l)(g — s)q™~'^~'^ f {q — 1), where n — 1 = 
r{q — 1) + s, 0 < s < ly. 

For !y > (m — l)(g — 1), the PRM codes are trivial. We suppose ly < (m — 



3 Main Result 

Let cr be an element of the linear group GL{m, q) considered as a linear permu- 
tation on Vm- Such an element induces a permutation a on the set of represen- 
tatives S of Pm as follows: if Si is an element of S, set U = a{Si) G Vm and 
Sj the representative of U, i.e. the element of S such that there exists a A G F, 
satisfying U = XSj. Then a{Si) = Sj. The projective linear group PGL{m, q) is 
the set of permutations a, a € GL{m,q). 

Definition 2. Let S he a system of representatives of the projective space and 
a he an element of GL{m,q). S is compatible with a if a{S) = S, i.e. a{Si) = 
a{Si) for all i. 



Theorem 1. Let S he a system of representatives compatihle with an element 
a in GL{m,q). The projective Reed-Muller code PRM^, is then invariant under 
the permutation a. 



Proof. Suppose that S is compatible with a. Let c = {f{Si, . . . , /(S'„), / G Ai,) 
be an element of PRMy. So ct(c) = (/(<t(S'i), . . . , /(cr(S'„))). 

Set Sk = {Sk,i, • • ■ , Sk,m)- Since ct is a linear transformation, there exist some 
scalars aij such that cr(S'fe) = (E7=i ■ ■ ■ lEjLi ^k,j<yj,m)- 

Therefore f{a{Sk)) = (E*i+...+i„=d(EjLi ■ ■ ■ iYYJU '5’fe.jCTj.m)*’")- 

The polynomial 

r{Xi, . . .,Xm) = T,^,+...+i,^=diT,T=l • • • (EjLi ^3,mXmY"' is clearly 

homogeneous of degree v. 

Then we have d((/(^i), . . . , /(^„)) = (r (^i), • ■ • , T (^«))). 

Thus a{{f{Si),...,f{Sn))) is an element of PRMi,, and PRM^, is invariant 
under a. □ 
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4 Cyclicity and Quasi-cyclicity 

4.1 Cyclic Case 

In order to construct cyclic PRM codes, we need some sets of representatives 
that are an orbit of length n under a permutation a G GL{m,q). Using a basis 
of Fgm over we identify l^n and F^m . 

Lemma 1. Suppose that n and q — 1 are coprime. Let a he a primitive root 
of¥qm. Set j3 = The set . . . ,P'^) is a set of representatives of the 

projective space Pm- 

Proof. Suppose that is in F^, 0 < j < i < n. Then jg That 

implies n divides {q—l){i — j). Since n and q— 1 are coprime, n divides i — j < n. 
We deduce i = j and ... , /?") is a set of representatives of Pm. □ 

Let ap € GL{m, q) be the linear permutation of Vm = F^m defined by 17 / 3 ( 5 ) = 
fig. Clearly, (/9, /9^, . . . ,/3") is compatible with cr/ 3 . We can deduce the following 
Theorem, which is a part of Theorem 3 in [3] . 

Theorem 2. If n and 5 — 1 are coprime, then the code PRAI^, is cyclic for all 
V, Q <v < {m— l){q — 1). 



Remark 1. In [3], Sorensen gave another examples of cyclic PRM codes. The 
cyclicity of these codes does not depend on the set of representatives, but only 
of the value on u. 

Example 1: Set 5 = 3 and m = 3. Then the length of PRM codes is n = 13 

which is coprime to g — 1 = 2. We obtain cyclic codes over GF{3) with the 
following parameters: 



ly 


1 


2 


3 


4 
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■3 
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10 


12 


d 


9^ 


6 


3 


2 



Where k and d are respectively the dimension and the minimum distance of the 
PRM,, code. 

Example 2: Set g = 4 and m = 4. The length of PRM codes is n = 85. We 

obtain cyclic codes over GF(4) with the following parameters: 
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4.2 Quasi-cyclic Case 

In this section, we generalize the results of Theorem 2 to the case (n, g — 1) yf 1. 
This leads to quasi-cyclic codes. 
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Lemma 2. Let a he a primitive root o/F^m. Let c= (ri,q — 1) be the ged of n 
and q — 1. Set 7 = jj q — i eoprime, then 

S' = ( 7 , , 7 "/'=, aj , . . . , 07 "/'^, . . . , a"^“^ 7 , . . . , q;''^“^ 7 "/'^) is a set of representa- 
tives of the projective space. 

Proof. Assume that is in F,. Since 7 = we deduce 

Q,(i-i)+c(g-i) 0 -r) g previously, n must divide {i — 1) c{q — l)(j — r). 

This implies c divides (i — 1) -\-c{q— l)(j — r), and then c divides {i — l). Since 
\i — l\ < c, we have i = 1. 

Our hypothesis is reduced to g y^e know that n divides 

c{q — l)(j — r), which means that n/c divides {q — l)(j — r). 

Since n/c and (? — 1 are coprime, n/c divides (j — r). But |j — r| is less than 
n/c and so j = r. 

For 0 * 7 ’’, is not in Fg and S is a set of representatives of the 

projective space. □ 



Theorem 3. Let a he a primitive root o/F^m. Let c= (n, g — 1) be the ged of 
n and q—1. Suppose that q—1 and n/c are coprime. For all v, the code PRMi, 
associated to the set of representatives S defined in Lemma 2 is quasi-cyclic of 
index c and order n/c. 

Proof. Let a be the element of GL{m, q) such that a{g) = 'yg for every g € Fgm. 

The set S is invariant under a and a induces a quasi-cyclic permutation over 
PRMi, with cycles of length n/c. □ 

Example 3: Set <7 = 4 and m = 3. The length of PRM codes is n = 21. We 

obtain c = (21, 3) = 3 and (n/c, c) = (7, 3) = 1. This leads to quasi-cyclic codes 
over GF{4) of index 3 and order 7 with the following parameters: 
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If n/c and q—1 are not coprime, it is possible to extend the results of Theorem 
3 as follows: 

Set Cl = (n,q— 1), C 2 = {n/ci, q — 1), C 3 = (n/(ciC 2 ), (? — 1) until Cg = 1. Let 
c be c = Jli=i G- Then c is the least divisor of n such that n/c and q—1 are 
co-prime. 

Lemma 3. Let a he a primitive root of F^m and S = a'^ where c is defined as 
previously. Then 

S={6,..., ,5”/", 0(5, ... , . . . , a^-^S, ..., 

is a set of representatives of the projective space. 

Proof. It is the direct generalization of those of Lemma 2. □ 





Cyclic Projective Reed-Muller Codes 



81 



Theorem 4. For the set of representatives S defined in Lemma 3, the code 
PRMi, is quasi-cyclic of index c and order njc for all v. 

Proof. The proof is the same as for Theorem 3. □ 

Example 4: Set g = 3 and m = 4. Then the length of PRM codes is n = 40. 

We obtain ci = (40,2) = 2, C2 = (20,2) = 2, C3 = (10,2) = 2 and C4 = 
(10/2,2) = 1. Then c = 8, we obtain quasi-cyclic codes over GF{3) of index 8 
and order 40/8 = 5 with the following parameters: 
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Remark 2. It is possible that n may be totally decomposed using Lemma 3. In 
that case, the code is not quasi-cyclic, since its order is 1. However, we do not 
find such an example under the condition n = (g™ — l)/(g — 1), q = p^ a power 
of a prime p. 
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Abstract. We consider identifying and strongly identifying codes. Find- 
ing faulty processors in a multiprocessor system gives the motivation for 
these codes. Constructions and lower bounds on these codes are given. We 
provide two infinite families of optimal (1,< 2)-identifying codes, which 
can find malfunctioning processors in a binary hypercube F 2 ■ Also two 
infinite families of optimal codes are given in the corresponding case of 
strong identihcation. Some results on more general graphs are as well 
provided. 



1 Introduction 

Let F2 be the Cartesian product of n copies of the binary field F2. The Ham- 
ming distance d{x, y) between vectors (words) x and y of F2 is the number of 
coordinates in which they differ; the Hamming weight w{x) of x is defined as 
d{x,0). A nonempty subset of F2 is called a code. 

In the seminal paper [ 12 ] by Karpovsky, Chakrabarty and Levitin, the prob- 
lem of locating malfunctioning processors in a multiprocessor system was intro- 
duced. 

Assume that 2 " processors are labelled by the distinct binary vectors of 
and the processors are connected (with a communication link) if and only if the 
Hamming distance of the corresponding labels equals one. Any processor can 
check the processors within Hamming distance t. It reports “NO” if problems 
are detected in its neighbourhood and “YES” otherwise. Assuming that there 
are at most I malfunctioning processors, we want to choose a subset of processors 
(i.e., a code C C F2) in such a way that based on their reports we know where 
the faulty processors are. Of course, the smaller the subset the better. 

Let us be more precise. We denote by |A| the cardinality of a set X and 
the Hamming sphere by Bt{x) = {j/ G I d{x,y) < t}. Let C C F^. For any 
X C F2 we define 

It{X) = h{c- A) = ( y Bt{x) j n c. 

\x^X / 
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Definition 1 . Let t and I be non-negative integers. A code C C is called 
{t,< ^)-identifying, if for all X,Y C Flf-, X Y, with \X\ < I and |F| < I, we 
have It{X) ^ h{Y). 

When we receive It{C; X), we immediately know the set of faulty processors 
X if C is (t, < ?)-identifying and |X| < 1. 

When maintaining multiprocessor systems with the model above, we expect 
to receive correct reports also from the malfunctioning processors that are in 
the code. If, however, faulty processors may either send the wrong report (i.e., 
be silent) or the correct report, then we need the following concept of strong 
identification to handle the situation. 

In order to find the malfunctioning processors in this case we require that C 
satisfies the following. Let for any different subsets X and Y of (|-^|, |h"| < 1) 
the sets It{X) \ S and It{Y) \ T he distinct for all S' C X fl C and T C Y C\ C. 
Then obviously we can always distinguish between X and Y . 

Definition 2. [10] Let C C F^. Let further t and I be non-negative integers. 
Define 

It{X) = {U I Lt{X) \(XnC)CUC Lt(X)} (1) 

for every X C 

If for allX,Y C Fif-, where X ^Y and |X|, |F| < I, we have It (X) nit (Y) = 
0, then we say that C is a strongly (t, < ?)-identifying code. 

Let us denote h{X) = I{X), It{{xi, . . . ,Xs}) = It{xi, . . . ,Xs) and Ij'(y) = 
It{y) \ {y}. The smallest cardinality of a {t, < ?)-identifying code and a strongly 
(t, < ?)-identifying code of length n is denoted by and {n), 

respectively. A code attaining the smallest cardinality is called optimal. We say 
that X t-covers y, if d{x, y) < t, and we omit t, if t = 1. 

In this paper we focus on (1, < 2)-identifying and strongly (1, < 2)-identifying 
codes in binary Hamming spaces. We will provide infinite sequences of optimal 
codes in both cases. Results on Z = 1 can be found in the case of identifying 
codes in [1,2,12,7,6] and in the case of strong identification in [10,11]. For results 
on ^ > 3, consult [13,14]. 

In the last section, we will discuss about some properties of identification 
also in other graphs (results in the case I = 1 can be found, for instance, from 
[12,3]). 

2 Lower Bounds 

Let us first give a lemma, which is needed throughout the paper. 

Lemma 1 . For a,b G F 2 we have 

{ n-\- 1 if a = b 

2 if d{a,b) = I or 2 (2) 

0 otherwise. 
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Theorem 1. [13,15] Let I > 2. Then 






{21 - 1 ) 



2 ” 

n + 1 



and 






on ■ 

( 21 - 1 )- . 
n 



Proof. Let us prove the latter inequality. Let C be a strongly (1, < Z)-identifying 
code. If X ^ C, then |/(x)| >21 — 1. Indeed, otherwise if I{x) = {ci, . . . , C 21 - 2 } 
and Xi {i = 1, . . . ,l — 1) is the unique word {xi yf x) at distance one from both 
C 2 i-i and C 2 i, we have I{xi, . . . ,x;_i) = I{xi, . . . which is a contradic- 

tion. Obviously less than 21 — 2 codewords in I{x) is also impossible. 

Assume then that x G C. Let I{x) = {ci, . . . , C 21 - 2 , x} and define Xi as above 
for all z = 1, . . . , Z — 1. Now I{xi, . . . , xi-i) = I{x\, . . . , x/_i, x) \ {x} which is 
impossible and hence |/(x)| > 21. 

Thus we obtain \C\{n+ 1) > 2ZICI -I- {21 — 1)(2” — IC'D which gives the claim. 

□ 



As we shall see, these estimates can often be attained. 

3 Optimal Codes for (1, < 2)-Identification 

In the sequel we need two initial codes in order to provide the two infinite 
sequences of optimal codes. These initial codes are given next and can be found 
from [9,16]. 

Theorem 2. The following code is (1,< 2) -identifying 

{ 00100 , 00010 , 00001 , 11000 , 10100 , 10010 , 01100 , 01001 , 

00011, 11010, 11001, 10101, OHIO, 10111, 01111, 11111}. 

Corollary 1. = 16. 

Denote by TL^ the Hamming code of length seven with the parity check matrix 

/O 0 0 1 1 1 1\ 
iL= 0110011. 

\1 0 1 0 1 0 1 / 

Let Cl = TLz 1011001 and C 2 = TLz + 0000100 be two cosets of TL^- Let 
further P\ and P3 be the codes obtained by permuting Ci using the permutations 
(7, 3) (4, 2) and (6, 3) (4, 1), respectively. By P 2 we denote the code obtained from 
C 2 using the permutation (1,2) (3, 5). It is easy to check (with computer) that 
U = Pi U P2 U P3 is (1, < 2)-identifying. The following result now follows from 
Theorem 1. 
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Theorem 3. = 48. 

Next we describe a construction which together with the initial codes gives 
the two infinite sequences of optimal (1, < 2)-identifying codes. 

Theorem 4. [16] If C C is a (1,< 2) -identifying code, then also 

C' = {(7 t(m), t6, t6 + -u) \ u G F 2 , V G C}, 

where tt{u) denotes a parity check hit on u, is a ( 1 , < 2) -identifying code of length 
2n -\- 1 . 

Proof. (Sketch) By Theorem [16, Theorem 2] the code C covers each word at 
least three times, and thus by [4, Theorems 3.4.3 and 14.4.3] the code C also 
does. Since C covers each word at least three times, and the intersection of 
three different spheres of radius one contains at most one element, C is (1, < 1)- 
identifying. Moreover, all single words and pairs of words are distinguishable. 
Indeed, consider the sets {x} and {y, z}, y ^ z. Then without loss of generality 
y ^ X, and because \Bi{y) fl Bi{x)\ < 2, we know that Bi{y) fl C contains at 
least one codeword which is not in B\{x). 

Thus we only need to check that all pairs are identified from one another. 
Let us divide the words of F2 into two classes by their first bit and consider 

the codewords which cover a word in each class. Let x = {a,u,u -\- v) G F2 . 

I If a = 7 t(u) then I{x) = {{tt{u),u, u-\- c) \ c G C, d{c, v) < I}. 

II If a yf 7 t(u) then I(x) = AU {{a, u' , m + u) | d{u', u) = 1,3c G C : u -\- v = 

u' + c}. Here A = {( 7 t(u),u, u + v)} if v G C, and H = 0 if u ^ C. 

So in both classes we are interested in codewords c G C such that d{c,v) < 1. 
Namely in the class II the properties d{u' ,u) < I and u -\- v = u' -\- c imply 
that also d{v,c) < 1. If I{x) = {{bi,Si,ti) \ i= 1,2, ... ,k}, then in both cases 
I{C;v) = {si-\-ti I t = 1,2, . . . , k}. 

Suppose there were words x, y, z and w in F2 such that 

I{x, y) = I{z, w) and {x, y} ^ {z,w},x ^ y, z ^ w . (3) 

If vi, V 2 , V 3 and V 4 are v's of x,y,z and w respectively, then in by the 
previous discussion I{C-,vi,V 2 ) = I{C',V 3 ,V 4 ). Since C is a (1,< 2)-identifying 
code we must have {vi,V 2 } = {u3,V4}. We will show that (3) cannot hold. 
Assume to the contrary that (3) holds. 

Because |/(x)| > 3, we know by (3) that at most one of the sets I{x) fl I{z) 
and I{x)nl{y) has cardinality one or less. A similar remark applies to I{y), I{z) 
and I{w). Hence we can without loss of generality assume that \I{x) n/(z)| > 2 
and \I{y) fl /(ru)] > 2. Depending on which class x belongs to, also z belongs to 
the same class. Similarly y and w belong to the same class. 

11 X = {tt{ui),Ui,Ui-\-Vi) and y = {tt{u2),U2, U 2 +V 2 ) are words in the class I, 
then also z = (7r(u3), U3, M3 + M3) and w = (7 t(m 4), M4, M4 + V 4 ) are. Since in I{x) 
and /(z) the codewords begin with the same n + 1 bits, we get mi = M 3. Similarly 
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U2 = U4. We can assume that \I{z) n/(i/)| > 1 (or that \I{x) n/('u;)| > 1 , which 
is a symmetric case): otherwise I{z) = I{x) and I(w) = I{y) and hence z = x 
and w = y. Since z and y are both words in the class I, we get U2 = u\. The fact 
that {vi,V2} = {i’3,r’4} now implies that {x,y} = {z,w}. 

Assume x = + 1 , mi, mi + vi) and y = (tt{u2) + 1 , M2, U2 + M2) and so 

also z = (7t(m3) + 1 , M3, M3 + M3) and w = (7t(m4) + 1 , M4, M4 + M4) are words in the 
class II. Since in I{x) and I{z) the codewords end with the same n bits as x and 
z we get Ml + Ml = M3 + M3, and similarly M2 + M2 = M4 + M4. If now mi = M3 and 
M2 = M4 we are done, since then x = z and y = w. Suppose therefore that M2 = M3 
and Ml = M4. As in the previous case, we can assume that \I{z) ( 1 1 {y) \ > I. Now 
the last n bits must be the same in /(z) and I{y), and thus M3 + M3 = U2 + V2 and 
we get M3 = M2, i.e., y = z. The word z cannot cover the whole /(x), otherwise 
z = X, since |/(x)| > 3 and the intersection of three different spheres of radius 
one has cardinality at most one. This would imply that x = z = y. So w must 
cover at least one word from I(x) which implies Mi + Mi = M4 + M4 and now 
Ml = M4, i.e., X = w. Therefore {x,y} = {z,w}. 

The proof of the final case where x and y belong to different classes can be 
found from [ 16 ]. □ 



Corollary 2. [16] M^-^^( 2 n+ 1 ) < 

Corollary 3. [16] 

For A: > 1 : • 2 ^= - 1 ) = 

For/c> 3 : - 1) = 3 • 22 '“-'=-b 

Proof. By Corollary 1 we know that Af}-^^( 5 ) = 16 . Using Corollary 2 recur- 
sively and the lower bound from Theorem 1 we get the first equation. Similarly 
by Theorem 3 we get the second claim. □ 

4 Optimal Codes for Strong Identification 

In this section we provide optimal codes for strong ( 1 ,< 2 )-identification. We 
denote the direct sum [ 4 , p. 63 ] of the codes A and B hy A(B B. 

Lemma 2. [15] Let C C he ( 1 , < 2) -identifying and a,b G a ^ b. Then 

( 2 if d{a, b) = 1 
]/(a, b) \ {a, 6}] > < 3 if d{a, b) = 2 
[ 4 z/ d{a, b) > 3 . 



Theorem 5. [15] If C is a {1,< 2) -identifying code, then D = C(BF 2 is strongly 
(1, < 2) -identifying. 
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Proof. (Sketch) By [9, Theorem 7] we know that D is (1,< 2)-identifying and 
by [10, Theorem 3] we know that hence D is strongly (1, < l)-identifying. Thus 
to prove the claim it suffices to check the following two sets of inequalities for 
all x,y,z and w in and for all sets J where I' (a) C J(a) C /(a) and 

I{a, b) \ {a, 6} C J(a, b) C I{a, b): the first set is 

J{x)^J{z,w) (4) 

where z^w and J{x) yf I{x) or J{z,w) yf I{z,w), and the second set is 

J{x,y) ^ J{z,w) (5) 

where {x,y} yf {z,w} and J{x,y) yf I{x,y) or J{z,w) yf I{z,w). 

By [9, Theorem 3] we have |/(C';a;)| > 3 for all x G and therefore also 
\I{y)\ ^ 3 for all y G F^^^ and, moreover, \I{y)\ > y G D. Thus \I'{y)\ > 3 
for all y G F^+\ 

Step 1: Let us first look at the inequalities (4). Either x ^ z or x ^ w, say 
a; yf z. By (2), |i?i(a;) fl Bi{z)\ < 2. If d{x,z) yf 2, then there are at least two 
codewords in F{z) which are not in I(x) and only one of them can be removed 
from .J(z,w). If d{x,z) = 2, then there can be only one such codeword and it 
can be removed from /(z, w) if it is w. However, then the words in I'{w) cannot 
be in I{x), since d{x,w) = 3. This shows that (4) is satisfied. 

Step 2: Consider next the inequalities (5). We denote by z' the word obtained 
by puncturing the last coordinate of z G In the sequel we will often use the 

fact that I{a) fl {Ftf- © {!}), where a = a'O G F^'*'^, contains the unique word a'l 
if a G F and otherwise it is empty. Denote Lq := Ftf © {0} and Li := F|* © {!}. 

Case 1: Let x,y,z,w G Lq. In the inequalities (5) we may assume that x is 
removed from I(x,y). Thus x G D. Consequently, by the fact above x G {z,w}, 
say x = z. If also y G D, then {x,y} = {z,w}. Similarly, we can assume that 
w ^ D. Let then y ^ D and thus y cannot be removed from I{x,y). Hence it 
suffices to verify that I{x,y) \ {x} yf I{z,w) and I{x,y) \ {x} yf I{z,w) \ {z}. 
The first is immediately clear, since x G I{z,w). The second follows, because D 
is (1,< 2)-identifying and hence we have I{x,y) yf I{z,w). This proves (5) in 
this case. 

Case 2: Let x,y G Lq and z,w G Li. Evidently, |/(z, ru) fl FqI ^ 2. Therefore, 
by Lemma 2, we only need to examine the case, where d{x, y) = 1, both x and y 
are removed from I{x,y) and \{I' (x) D Lq) \ I (y)\ = |(/'(i/) fl Fq) \ = 1. By 

symmetry, we can assume that the analogous premises hold for z and w as well, 
and thus only the inequality I{x, y)\{x, y} yf I{z, w)\{z, w} is left to be verified. 
Let (/(x, y)r\LQ)\{x, y} = {ci, C 2 } for some Ci, C 2 G F. If the inequality fails, we 
must have z = c(l and w = c^l. Similarly, {I{z,w) fl Fi) \ {z,w} = {x'l,y'l}. 
But this is a contradiction, since now I{C] {x' ,y'}) = I{C; {z' ,w'}) although 
{x',v'} + {z',w'}. 

The complete proof of the other (two) cases is given in [15]. □ 

Example 1. Let us look at the other direction. Shortening (on any coordinate) 
and with respect to 0 (1 in the case of the fifth coordinate) of an optimal strongly 
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(1, < 2)-identifying code consisting of the words 

10100 01000 00100 00010 00001 11000 
10010 01100 01010 01001 00011 00101 
11010 10110 11001 10101 00111 OHIO 
11110 11101 10111 11111 

is not (1, < 2)-identifying code of length four. 

Corollary 4. [15] {n) < — 1). 

We are now in the position to give the two infinite families of optimal codes. 

Corollary 5. [15] 

For fc > 1 : • 2'=) = 2^'^'^-^. 

Forfc>3: = 3 • 22'“"'=. 

Proof. From Corollary 3 we know that if n = 3 • 2^ — 1 

(k > 1), and = 3 • 2^*’“^“^, if n = 2^ — 1 {k > 3). Combining this with 

Corollary 4 and the lower bound from Theorem 1 we obtain the equations. □ 

No infinite family of optimal regularly or strongly (1, < l)-identifying codes 
is known. 

Theorem 6. [15] Let C he a strongly (1,< 2) -identifying code of length n. The 
code C = {(7t(m),u,m + c) | u G G C} is a strongly (1,< 2) -identifying 

code of length 2n + 1. 



5 On General Graphs 

Let G = (V,E) be a connected undirected graph where V is the set of vertices 
and E is the set of edges. A nonempty subset C C C is called a code and its 
elements are codewords of C. Let d{u, v) denote the number of edges in any 
shortest path between u and v. Define Bt{x) = {y & V \ d{x,y) < t}. Denote 
(ACC) 

It{A)=i U S,(a)) nC. 

VaGA / 

A code C C C is called (t, < 1) -identifying if for any two sets X,Y C V 
(|A|, |y| < /) we have It{X) ^ If moreover for all distinct sets X,Y QV 

of cardinality at most I we get It{X) \ S ^ hiX) \ T for every S G X C\C and 
T QY C\ C , then C is called strongly ft, < 1) -identifying . 
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Table 1. Bounds on regular and strong (1,< 2)-identification (see [9,16,15]). 



n 






4 


11 


- 


5 


16 


22 


6 


30-32 


32 


7 


48 


55-64 


8 


90-96 


96 


9 


154-176 


171-192 


10 


289-352 


308-352 


11 


512 


559-704 


12 


972-1024 


1024 


13 


1756-2048 


1891-2048 


14 


3356-4096 


3511-4096 


15 


6144 


6554-8192 


16 11566-12288 


12288 



Theorem 7. Let G = (V,E) (jVj < oo) be as above. If C C V is strongly 
{t,< 1) -identifying, then 



2l'^l > ^ ^ 2-’ 

2 — 0 j—0 




|V|-|C|\ 

i-j J 



Proof. Assume that C is strongly (t, < /)-identifying. Let X C V, where jXj = 
i {0 < i < 1), consist of exactly j {0 < j < i) codewords of C and i — j 
noncodewords. Then we have \{U \ It{X) \ {X r\C) CU C If{X)}\ = 2\ i.e., X 
implies the existence of 2^ distinct subsets of C. There are 

such X’s where it has exactly j codewords in it. 

The total number of different subsets of C is therefore at least 

and there are 2^^^ subsets of C all in all. This gives the claim. □ 

The set of vertices adjacent to a vertex x G V is denoted by P{x). The degree 
of X is d{x) = |T(x)|. The minimal degree of the vertices of G is denoted by 
5 = 6{G). 

Theorem 8. Let G = (V,E) be again as above with \V\ > 3. If there is a 
(1, < 1) -identifying code G CV, then I < S{G). 
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Proof. Let x &V he a, vertex giving the minimal degree, i.e., d{x) = 5{G) > 1. 
Assume that C is (1, < l)-identifying. Denote P{x) = {fi, , I'i}- If I > <5(G), 
then Ii{vi,V 2 , ■ ■ ■ ,vs) = Ii{vi, ... ,vs,x) which is impossible. □ 

Example 2. Consider any path Pi of length 2 < £ < oo. Then the code C 
consisting of all the vertices of Pi is (1,< l)-identifying, but according to the 
previous theorem is not (1,< 2)-identifying. This example shows that we can 
have (1,< (5)-identifying codes. 

For specific graphs we can of course say more, for example, there does not 
exist a (1, < l)-identifying code in Flf if I > n/2+2 and n is even or if ^ > [n/2] + l 
and n is odd. 
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Abstract. A projective multiset is a collection of projective points, 
which are not necessarily distinct. A linear code can be represented as 
a projective multiset, by taking the columns of a generator matrix as 
projective points. Projective multisets have proved very powerful in the 
study of generalised Hamming weights. In this paper we study relations 
between a code and its dual. 



1 Background 

A linear code is a normed space and the weights (or norms) of codewords are 
crucial for the code’s performance. One of the most important parameters of a 
code is the minimum distance or minimum weight of a codeword. 

The concept of weights can be generalised to subcodes or even arbitrary 
subsets of the code. (This is often called support weights or support sizes.) One 
of the key papers is [16], where Wei defined the rth generalised Hamming weight 
to be the least weight of a r-dimensional subcode. After Wei’s work, we have 
seen many attempts to determine the generalised Hamming weights of different 
classes of codes. 

Weights are alpha and omega for codes. Yet we know very little about the 
weight structure of most useful codes. The generalised Hamming weights give 
some information, and several practical applications are known, including finding 
bounds on the trellis complexity [8,7]. Still they do not fully answer our questions. 

Several other parameters describing weights of subcodes have been intro- 
duced, and they can perhabs contribute to understanding the structure of linear 
codes. The support weight distribution appeared as early as 1977 in [9]. The 
chain condition from [17] have received a lot of attention. Chen and Klpve [4,3] 
introduded the greedy weights, inspired by a set of parameters from [5] . 

It is well known that a code and its dual are closely related. Klpve [11] has 
generalised the MacWilliams identities to give a relation for the support weight 
distributions. Wei [16] found a simple relation between the weight hierarchies of 
a code and its dual. We will find a similar result for the greedy weights. 

We consider a linear [n, k] code C. We usually define a linear code by giving 
the generator matrix G. The rows of G make a basis for G, and as such they 
are much studied. Many works consider the columns instead. This gives rise 
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to the projective multisets [6]. The weight hierarchy is easily recognised in this 
representation [10,15]. Other terms for projective multisets include projective 
systems [15] and value assignments [2]. 

There are at least two ways to develop the correspondence between codes 
and multisets. Most coding theorists will probably just take the columns of 
some generator matrix (e.g. [10,2]). Some mathematicians (e.g. [6,15]) develop 
the projective multisets abstractly. They take the elements to be the coordinate 
forms on C, and get a multiset on the dual space of C (this is not the dual code). 
Hence their argument does not depend on the (non-unique) generator matrix of 
C. 

We will need the abstract approach for our results, but we will try to carefully 
explain the connections between the two approaches, in the hope to reach more 
readers. For the interested reader, we refer to a more thorough report [14] , where 
we use the present techniques to address some other problems, including support 
weight distributions, in addition to the present results. 



2 Definitions and Notation 

2.1 Vectors, Codes, and Multisets 

A multiset is a collection of elements, which are not necessarily distinct. More 
formally, we define a multiset 7 on a set S' as a map 7 : S — >■ {0, 1, 2, . . .}. The 
number 7(3) is the number of occurences of s in the collection 7. The map 7 is 
always extended to the power set of S, 

s^S' 

The number 7(5), where s G S or s C S, is called the value of s. The size of 7 is 
the value 7(S). 

We will be concerned with multisets of vectors. We will always keep the 
informal view of 7 as a collection in mind. 

We consider a fixed finite field F with q elements. A message word is a k- 
tuple over F, while a codeword is an n-tuple over F. Let M be a vector space 
of dimension k (the message space), and V a vector space of dimension n (the 
channel space). The generator matrix G gives a linear, injective transformation 
G : M — >■ V, and the code G is simply the image under G. 

As vector spaces, M and C are clearly isomorphic. For every message word 
m, there is a unique codeword c = mG. 

A codeword (ci, C2 , . . . , c„) = mG is given by the value Ci in each coordinate 
position i. If we know m, we obtain this value as the inner product of m and 
the ith column gi of G, i.e. 

k 

a = Si ■ where Si = 9i,2, ■ ■ ■ , 9i,k), (1) 

i=i 



and m = (mi, m2 , . . . , mfc). 




94 



H.G. Schaathun 



The columns gi are elements of M. These vectors are not necessarily distinct, 
so they make a multiset 

7c: {0,1,2,...}. 

If we reorder the columns of G, we get an equivalent code. Hence jc defines C 
up to equivalence. If we replace a column with a proportional vector, we also 
get an equivalent code. Therefore many papers consider jc a multiset on the 
projective space P(M), and a projective multiset will also define the code up to 
equivalence. 

We say that two multisets 7 and 7' on M are equivalent if 7' = 7 o ^ for some 
automorphism (j) on M. Such an automorphism is given by (f> : g gA where A 
is a square matrix of full rank. Replacing all the gi by giA in (1) is equivalent to 
replacing m by Am. In other words, equivalent multisets give different encoding, 
but they give the same code. This is an important observation, because it implies 
that the coordinate system on M is not essential. 

Now we seek a way to represent the elements of 7c as vectors of V. 

Let hi be the ith coordinate vector of V, that is the vector with 1 in position 
i and 0 in all other positions. The set of all coordinate vectors is denoted by 

B := |bi,b2, . . . ,b„|. 



If we know the codeword c corresponding to m, the ith coordinate position Ci is 
given as the inner product of b^ and c. 



c^ = hi-c = '^Cjbij, where b^ = (6i_i, 6^,2, • ■ • , (2) 

and c = (ci,C2,...,Cfc). 



We note that b^ takes the role of gi, and c takes the role of m from (1). 

However, b^ is not the only vector of V with this property. In fact, for any 
vector c' G C-^, we have (b^ + c') • c = c^. Therefore, we can consider the vector 
hi as the coset b^ + C-*- of C-^ . The set of such cosets is usually denoted V /C -^ , 
and it is a vector space of dimension 

dim V /C'^ = dim V — dim C'^ = n— {n — k) = k = dim M. 

Hence M = V /C-*- as vector spaces. Obviously b^ + C*-*- corresponds to gi. 

We let fj, : V — >■ V /C-*- be the natural endomorphism, i.e. /i : g g + C-*-. 
This map is not injective, so if S' C V, it is reasonable to view the image ^(S) 
as a multiset. Our analysis gives this lemma. 



Lemma 1. A code C C V is given by the vector multiset yc '■= on 

V/C-L M. 

Given a collection |si, S2, . . . , Sm} of vectors and/or subsets of a vector space 
V, we write (si, S2, . . . , Sm) for its span. In other words (si, S2, • ■ • , Sm) is the 
intersection of all subspaces containing si, S2, ■ • ■ j Sm- 
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2.2 Weights 

We define the support x(c) of c G C to be the set of coordinate positions not 
equal to zero, that is 

X(c) := {z I Ci yf 0}, where c = (ci,C2 , . . . ,c„). 

The support of a subset S' C C is 

X('S') = U X(c). 

cGS 

The weight (or support size) w{S) is the cardinality of xi^)- The zth minimum 
support weight di{C) is the smallest weight of an z-dimensional subcode Di C C. 
The subcode Di will be called a minimum z-subcode. The weight hierarchy of C 
is (di(C'), d 2 {C), . . . , dk{C)). The following Lemma was proved in [10], and the 
remark is a simple consequence of the proof. 

Lemma 2. There is a one-to-one correspondence between subcodes D (Z C of 
dimension r and subspaces C M o/ codimension r, such that xc{U) = n — 
w{D). 

Remark 1. Consider two subcodes D\ and D 2 , and the corresponding subspaces 
Ux and L2. We have that Di C D 2 is equivalent with U 2 C Ui. 

We define dk-r{jc) such that n — dk-rilc) is the largest value of an r-space 
Ur C PG(fc — 1, q). From Lemma 2 we get this corollary. 

Corollary 1. If C is a linear code and xc zs the corresponding multiset, then 
d^(7c) = d*(C). 

Definition 1. We say that a code is chained if there is a chain 0 = Dq C Di C 
. . . C Dk = C, where each Di is a minimum i-subcode of C. 

In terms of vector systems, the chain of subcodes corresponds to a chain of 
maximum value subspaces by remark 1. The difference sequence (5 q) • • ■ , 

is defined by Si = dk-i — dk-i-i, and is occasionally more convenient than the 
weight hierarchy. 

2.3 Submultisets 

Viewing the multiset 7 as a collection, we probably have an intuitive notion 
of a submultiset. A submultiset 7' C 7 is a multiset with the property that 
7'(x) < 7(a;) for all x. 

If 7 is a multiset on some vector space V, we define a special kind of submulti- 
set, namely the cross-sections. If 17 C V is a subspace, then the cross-section z\u 
is the multiset defined by "f\u{x) = x{x) for x £ U, and x\u{x) = 0 otherwise. 

If U has dimension r, we call x\u an r-dimensional cross-section. In some 
cases it is easier to deal with cross-sections and their sizes, than with subspaces 
and their values. In Lemma 2, we can consider the cross-section xc\u rather 
than the subspace U. In particular, we have that n — dk-r{lc) is the size of the 
largest r-dimensional cross-section of xc- 
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2.4 Duality 

Consider a code C C V and its orthogonal code C-*- C V. Write {di,. . . , dk) for 
the weight hierarchy of C, and . . . , for the weight hierarchy of C-*-. Let 

B be the set of coordinate vectors for V, and let ^ be the natural endomorphism, 

v^v/c-^, 

/i : V I— V + C'^ . 

According to Lemma 1, the vector multiset corresponding to C, is yc := fJ,{B). 

Let B C B. Then fi{B) is a submultiset of yc- Every submultiset of yc is 
obtained this way. Obviously dim(i?) = ^B. Let D := (B) 0 C-*- be the largest 
subcode of C'^ contained in (B). Then D is the kernel of the restriction 

of /X to {B). Hence 

dim(/x(i?)) = dim(H) — dimD. (3) 

Clearly ^B > w{D). 

With regard to the problem of support weights, we are not interested in 
arbitrary submultisets of yc- We are only interested in cross-sections. Therefore, 
we ask when /x(i?) is a cross-section of n{B). This is of course the case if and 
only if /i(H) equals the cross-section fi{B)\^f^(^B))- 

Let U C V/C-*- be a subspace. We have fJ,{B)\u = fi{B), where B = {h £ 
B I ^(b) £ U}. Hence we have n{B) = if and only if there exists no 

point b € B\B such that ^(b) G (/x(H)). 

It follows from (3) that a large cross-section fi{B) of a given dimension, must 
be such that (B) contains a large subcode of C-^ of sufficiently small weight. 
Define for any subcode D C C-*-, 

P{D) := {h,\x£ x{D)} C B. 

Obviously P{D) is the smallest subset of B such that D is contained in its span. 
It follows from the above argument that if D is a minimum subcode and /x(/3(Z?)) 
is a cross-section, then /i(/3(D)) is a maximum cross-section for C. Thus we are 
lead to the following two lemmas. 

Lemma 3. If n — dr = dj^ , B C B, and ffB = n — dr, then n{B) is a cross- 
section of maximum size and codimension r if and only B = (3{Di) for some 
minimum i-subcode Di C C-*-. 

Lemma 4. Let r be an arbitrary number, 0 < r < n — k. Let i be such that 
dj^ <n — dr < djxi, and let Di C C-^ be a minimum i-subcode. Then yi{{B)) is 
a maximum r -subspace for any B C B such that Di C {B) and ffB = n — dr- 

As an example of our technique, we include two old results from [16,17], with 
new proofs based on the argument above. 

Proposition 1 (Wei 1991). The weight sets 

{d\, d 2 , ■ ■ ■ , dk\ and {n -I- 1 — d^,n-\-l — . . . , n -|- 1 — 

are disjoint, and their union is {1, 2, . . . , n}. 
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Proof. Suppose for a contradiction that di = n — s and dj- = s + 1 for some i, 
j, and s. Let Dj C C-^ be a minimum j-subcode. Let Bi C B such that n{Bi) 
is a maximum cross-section of codimension i. We have = ffBi + 1 and 

thus dim(i?i) fl C-*- < j. Hence dim^(_Bi) > dim . Thus fJ,{Bi) cannot 

be maximum cross-section, contrary to assumption. 

Proposition 2 (Wei and Yang 1993). If a C is a chained code, then so is 
C-^ , and vice versa. 

Proof. Suppose C*-*- is a chained code. Let 

{0} = Do C Di C . . . C Dk = C-^ 

be a chain of subcodes of minimum weight. Choose a coordinate ordering, such 
that 

x(Di) = {1,2, ...,di}, Mi. 

For each r = 1, 2, . . . , n, let C yB be the set of the r first coordinate vectors. By 
our argument, fi{Br) is a cross-section of maximum size except il dj~ = r -I- 1 for 
some i; in which case there is no cross-section of maximum size and r elements. 
Obviously fi{Br) C fj,{Br+i) for all r. 



3 Greedy Weights 

3.1 Definitions 

Definition 2 (Greedy r-subcode). A (bottom-up) greedy 1-subcode is a min- 
imum 1-subcode. A (bottom-up) greedy r-subcode, r >2, is any r-dimensional 
subcode containing a (bottom-up) greedy (r — l)-subcode, such that no other such 
code has lower weight. 



Definition 3 (Greedy subspace). Given a vector multiset 7 , a (bottom-up) 
greedy hyperplane is a hyperplane of maximum value. A (bottom-up) greedy space 
of codimension r,r>l,isa subspace of codimension r contained in a (bottom- 
up) greedy space of codimension r — 1, such that no other such subspace has 
higher value. 

A greedy r-subcode corresponds to a greedy subspace of codimension r, and 
the r-th greedy weight may be defined from either, as follows. 

Definition 4 (Greedy weights). The rth (bottom-up) greedy weight Cr is the 
weight of a (bottom-up) greedy r-subcode. For a vector multiset, n — Cr is the 
value of a (bottom-up) greedy space of codimension r. 



Remark 2. We have obviously that d\ = ei and dk = e^, for any fc-dimensional 
code. For most codes 62 > ^2 [5]. The chain condition is satisfied if and only if 
Cr = dr for all r. 
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We introduce a new set of parameters, the top-down greedy weights. It is in 
a sense the dual of the greedy weights, and we will see later on that top-down 
greedy weights can be computed from the greedy weights of the orthogonal code, 
and vice versa. 

Definition 5 (Top-Down Greedy Subspace). A top-down greedy 0-space of 
a vector multiset is {0}. A top-down greedy r -space is an r-space containing a 
top-down greedy (r — l)-suhspace such that no other such subspace has higher 
value. 

Definition 6 (Top-Down Greedy Weights). The r-th top-down greedy 
weight ir is n — 'yc(n), where II is a top-down greedy subspace of codimen- 
sion r. 

Remark 3. The top-down greedy weights share many properties with the 
(bottom-up) greedy weights. For all codes e^. > dr- The chain condition holds if 
and only if = dr for all r. In general, may be equal to, greater than, or less 
than Cr- 

We will occasionally speak of (top-down) greedy cross-sections, which is just 
7c I (7 for some (top-down) greedy space U. 




7(P) = 


for 


0 


p e (A, B, C)\{A, D},pe {F, H, I, J} 


1 


p e {B, F)\{B, F, H}, p e (G, 7)\{G, H, I},p = D 


3 


p = C 


2 


otherwise 



Fig. 1. Case B, Construction 1 from [1]. 



Example 1. We take an example of a code from [1] (Case B). The projective 
multiset is presented in Fig. 1. A chain of greedy subspaces is 

0 C (A) c {A, L) c (A, B, C) c PG(4, q), 
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and a chain of top-down greedy subspaces is 

0 C (C) C {C,D) c {A,C,D) c PG(4,g). 

In the binary case, we get greedy weights (4,6,9,12), and top-down greedy 
weights (3, 6, 10, 12). The weight hierarchy is (3, 6, 9, 12). 



3.2 Basic Properties 

Theorem 1 (Monotonicity). If (ci, 62 , . . . , e^) are greedy weights for some 
code C, then 0 = eo < Ci < 62 < . . . < Cfc. Similarity, z/ (ci, 62 , . . . , e^) are 
top-down greedy weights for some code C , then 0 = cq < ci < 62 < . . . < e^. 

Proof. Let 

{0} = 77o C 7Ti C . . . C = M, 

be a chain of greedy subspaces. We are going to show that 7c|/7i contains more 
points than 7c|77i_i for all i. It is sufficient to show that Jclnt contains a set of 
points spanning Ili. 

Since 7c is non-degenerate, it contains a set of points spanning 77^. Sup- 
pose that 7c|77r contains a set of points spanning 77^. Consider 77^-1. Suppose 
dim(7c|/7,,_i) < r — 1. Obviously there is a point x € 7c|/7r ~ 7c|/7 r-i- Hence 
we can replace 11^-1 by {'Jc\nr-n^) &nd get a subspace 77(_j^ C 77^ with larger 
value. This contradicts the assumption that 77^-1 is a greedy subspace. 

We can replace the 77^ with a chain of top-down greedy subspaces, and repeat 
the proof to prove the second statement of the lemma. 

Monotonicity also holds for the weight hierarchy by a similar argument [16]. 



3.3 Duality 

Lemma 5. Suppose e^+i > Cj-l-l where Q <i <k, and define s := n-Ci-Ii — k. 
Then U is a top-down greedy cross-section of codimension i if and only if U = 
p.{P{Ds)) for some greedy s-subcode Dg C C . 

Proof. Let i be the largest value of z < fc — 1 such that e^+i > fo-l- 1. Then Sj = 1 
for 0 < j < 7 — 1 — (z -I- 1) . It follows that any subset Bj of j < 7 — 1 — z elements, 
gives rise to a top-down greedy cross-section p,{Bj) of dimension j (and size j). 
The codimension of such a pi{Bj) is k — j > i-\-l. 

Hence p,{Bj._j) is a top-down greedy cross-section of codimension z, if and 
only if it is a maximum value cross-section of codimension z. Hence, for z = z, 
the lemma follows from Lemma 3. 

Suppose Cm+i > Cm + 1, and assume the lemma holds for all z, z > z > m. 
We will prove the lemma by induction. Define 

j := max{j > to | - e^-i-i = j - {m-\- 1)}. 

Clearly, ej+i — ej > 1. 
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Now consider a top-down greedy subspace of codimension m, where 

B <Z B. Clearly there is B' C B such that fi(B') is a top-down greedy subspace 
of codimension j. By the induction hypothesis, B' = f3{Dr) for some greedy 
r-subcode Dj. C C-*- where r = n — k — ej+j. Also, 

#i?' = w{Dr) = = n — 6j. 

Note that we can make top-down greedy cross-sections of codimension x for 
m < X < j hy adding j — x random elements by to B' . This implies also that 
there cannot be a subcode Dr+i of dimension r -|- 1 such that Dr C Dr+i C C 
and w{Dr+i) < w{Dr) + I + j — x. Hence 

>n — ej + l+ j — m. (4) 

Let B" = 1 ) C yB be such that ix{B") is a top-down greedy cross- 

section of codimension m -I- 1 with B' C B" C B. Note that Dr = {B") fl C-^. 
Let 

z := 41^B 41^B = {n e^) (n Cm+i^ — ^m- 

Write D := (_B)nC-*-. Since dim fi{B) — dim fj,{B") = 1, we must have B = P{D), 
and there must be a chain of 2 subcodes 

Dr C Dr+l C Dr+2 C . . . C Dr+z-1 = D 

where Di has dimension i for r < i < r + z and w{Di) = w{Di^\) — 1 for 
r<i<r + z — 2. By the bound (4), we get 

w{Di) = n — fij + l+ j — ra + i — r — l = e'^. 

And in particular 

w{D) = w{Dr+z-i) = n — Bj+j — m + z — 1 = Cr+z-l- 

It remains to show that s = r + z — 1 (where s is given in the lemma). 
Consider 

r + z— 1 — s={n — k — ej+j) + {em+i — Bm) — I — {n — k — Bm + m) 

= j - Bj + Bm +1 - {m+ 1) = 0, 
by the definition of j. 

Corollary 2. If i and s ars as givsn in Lamma 5, than = n — Cj. 

Theorem 2 (Duality). Lst (ei, . . . e^) 6e ths graady wsight hisrarchy of a cods 
C, and . . . , B^_if) ths top-down grBody wsight hiorarchiBS for C-^. Than 

{bi,& 2 , ■ ■ ■ ,Bk} and {n d- 1 — b^ ,n d- 1 — B 2 , ■ ■ ■ ,n d- 1 — b:^_i.} 
ars disjoint sots whoso union is {1, . . .n}. 

Proof. Let A < 12 < ... be the values of i for which Bi > Bi-\. Going to the proof 
of Lemma 5, with m = i^, we get j = ix+i- The proof showed that n-By-\-l yf of 
for all s, for all y, ix ^ y < ix-i-i- This holds for all x, hence the theorem. 
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Abstract. Motivated by the work of Pasquier and Wolfmann in 1980’s, 
we define Type II codes over IP 2 »- as self-dual codes with the property 
that their binary images with respect to a trace-orthogonal basis are 
doubly-even. We give a classification of Type II codes of length 8 over 
1F8,1Fi6 and IF 32 . We also characterize all Type II codes whose binary 
images are the extended Golay [24, 12, 8] code. 



1 Introduction 

In 1980’s, Pasquier and Wolfmann studied self-dual codes over the finite field 
F2>- whose binary images with respect to a trace-orthogonal basis (TOB) are 
Type II (that is, doubly-even self-dual) codes including the extended Hamming 
code and the extended Golay code, noting that the binary images of self-dual 
codes over F2r- with respect to a TOB are self-dual (see [6], [7], [8], [10], [11] and 
[12]). In their papers, extended Reed-Solomon codes and H-codes were widely 
investigated. More precisely, extended Reed-Solomon codes and H-codes whose 
binary images are extremal Type II codes of lengths 32, 40 and 64 were con- 
structed (see [8]), and two classes of H-codes whose binary images with respect 
to a TOB are Type II were found [12]. Recently Type II codes over F4 have 
been introduced in [3] as self-dual codes whose binary images with respect to 
the unique TOB are Type II. In this paper, we define Type II codes over F2»- as 
codes whose binary images with respect to a TOB are Type II. 

The organization of this paper is as follows. In Sect. 2, we introduce Type II 
codes over F 2»- along with giving basic properties. We also investigate Lee weight 
enumerators of Type II codes. In Sects. 3, 4 and 5, we investigate Type II codes 
over Fs,Fi6 and F32, respectively. The classification of Type II codes over 
FgjFie and F32 of length 8 is given. In Sect. 4, it is shown that there is no 
extremal Type II Fie-code of length 12. In the final section, we characterize all 
Type II codes over F2>- whose binary images are the extended Golay [24, 12, 8] 
code, and we show that the extended Reed-Solomon codes RS 32 {a) are not 
extremal for any primitive element a of F32 . 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 102-111, 2001. 
© Springer- Verlag Berlin Heidelberg 2001 
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2 Basic Results 

In this section, we introduce Type II codes over IF2»- and give properties of these 
codes. 

A basis B = {61, 62, . . . , br} of F2»- over F2 viewed as an F2-vector space, is 
called a trace-orthogonal basis (TOB) of F2»- if Tv{bibj) = 6ij, where Tr denotes 
the trace of F2>- over F2 and Sij is the Kronecker symbol. 

Definition 1. Let B = {61, 62, . . . , br} be a TOB ofW2’-- Let x = 
an element of F 2>- where Oj € F2 . Then the Lee weight of x with respect to B 
is defined as the number of i’s with Oi = 1. The Lee weight wtsic) of a vector 
c with respect to B is the sum of the Lee weights of its components. A Type II 
code overW2r with respect to B is a self-dual code with the property that the Lee 
weights of the codewords with respect to B are divisible by four. 

If r = 2, then there is a unique TOB i? = {w, of F4 = F2[w]/(w^-|-a;-|-I), 
and Type II codes over F4 with respect to B have been investigated in [2,3]. 

We remark that our definition of Type II codes depends on the choice of 
a TOB. However, the definition of Type II codes with respect to a TOB was 
recently shown to be independent of the choice of a TOB, by the first author [1]. 

For X = {xi,X2, . . . , Xn) G F^r, the binary image 4 >b{x) of x with respect to 
a basis B is obtained by replacing each component Xi by (x},xf, . . . ,x}) where 
Xi = xjbj . Note that the definition of 4 >b{x) depends on the ordering of 

the elements of B. However, the resulting binary image 4 >b{C) of a code C is 
determined up to permutation-equivalence. If C is a Type II F2r-code of length 
n and minimum Lee weight c?b with respect to a TOB B, then the binary image 
4 >b{C) is a binary Type II [rn, rn/2, code. In particular, rn is divisible by 8, 
and ds < 4 [|^] -1-4 holds (see [9]). A Type II code meeting this bound is called 
extremal (with respect to the TOB B). Note that dB < n since a self-dual code 
contains the all-one vector. 

We are interested in the classification of the binary images of Type II codes, 
as well as the classification of Type II codes themselves. Since the binary image 
of a Type II code depends on the choice of a TOB, we will first classify TOB’s 
and Type II codes, then determine the binary images of Type II codes with 
respect to each of the TOB’s. 

We now give some results on Type II codes. 

Proposition 2. Let C he a linear [n,n/2] code over F2>- and let B be a TOB. 
If every codeword of C has Lee weight divisible by four, then C is Type II. 

Proof. 4 >b{C) is a binary doubly-even code. Thus it is self-orthogonal. For x,y £ 
C and a G F2>-, 



Tr(a(a; • y)) = Tr(ax • y) = (j)B{ax) ■ (j)B{y) = 0 



since ax,y G C. Then we have that x ■ y = 0. Thus C is self-orthogonal. Since 
C is a linear [n,n/2] code, C is self-dual. □ 
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Theorem 3 (Munemasa [5]). The total number of Type IIW2^-codes of length 
n with respect to a fixed TOB is given by 

nj2-2 

Nil An) = n (2" + 1) , (1) 

i=0 

ifrn = 0 (mod 8) and n = 0 (mod 4), and 0 otherwise. 

The formula (1) is called the mass formula, and will be used to check that 
the classifications in Sections 3, 4 and 5 are complete. 

The Lee weight enumerator of a Type II F 2»--code C of length n with respect 
to a TOB B is defined as Wb{C) = ^ jg g^^gy ggg 

that the Lee weight enumerator of C is the same as the Hamming weight enu- 
merator of the binary image (fsiC) which is a binary Type II code. By Gleason’s 
theorem, Wb{C) £ C[ITe8: ^324] > where Weg and are the Hamming weight 
enumerators of the binary extended Hamming [8,4,4] code Cs and the extended 
Golay [24,12,8] code g2i, respectively. Let ^\Weg^WgAf denote the f-th ho- 
mogeneous part of <S\Weg,WgA- The Lee weight enumerator of a Type II code 
over F2-- belongs to or ®JLAWeg,WgAArf , if r is odd or 

even, respectively. In particular, for r = 3, we have 

00 

0 ^Weg,WgA 24 f = C[1T4, = €^3.1, ‘P3.2] (2) 

/=0 

where we define 1^3,1 = Wg^^, (^3^2 = ~ ^^324) for later use. We will show 

that the Lee weight enumerators of Type II codes over Fg generate the ring (2). 

Similarly for r = 4, we have 



00 



0 mea,WgJ,ef = = CKl, ^4.2, <P4.3] 

/=0 



(3) 



where we define <^4.2 = Wf^-b&Wegg22,,2, Ti.s. = - 84ITg^^<P3,2 + 

246 lpA for later use. Note that </33,i, </34,i, V54,2 and (^4^3 are the weight enumer- 
ators of extremal binary Type II codes of lengths 24, 16, 32 and 48, respectively. 
We will show that the Lee weight enumerators of Type II codes over F ig generate 
the ring (3). 

There is a class of self-dual codes known as H-codes (see [8]). In particular 
for length 8, such a code has a generator matrix of the form { I , A ) where 
the rows of A are (04,02,03,04), (02,04,04,03), (03,04,04,02), (04,03,02,04) 
with 04 + 02 + 03 + 04 = 1. In this paper, we call a code with generator matrix 
{ I , A) with the above A simply an H-code with generator (04, 02,03, 04). It is 
obvious that an H-code has a fixed-point-free involutive automorphism. We will 
see that any Type II code of length 8 over Fg, F46 or F32 whose permutation 
automorphism group has even order is permutation-equivalent to an H-code. 
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3 Type II Codes over IFg 

In this section, we investigate Type II codes over Fg = F 2 [q;]/(q;^ + a+ I). The 
unique TOB of Fg is B% = {a^,a^,a^}. 

We first give a classification of Type II codes of length 8 with respect to the 
unique TOB Bg. It turns out that all Type II codes over Fg belong to the class 
of H-codes. Let Cgp,C'g ,2 and Cs,s be the H-codes with generators (0,1, 1,1), 
(a^, a^, a^, a®) and (1, a^,a^, a), respectively. These three codes are all Type II, 
and we give the orders of the permutation automorphism groups and the Lee 
weight enumerators of these codes in Table 1 . The fourth column gives the binary 
image using the notation in [9, Table VII]. The minimum Hamming weight dn 
of Cs,i and the minimum Lee weight ds, that is, the minimum weight of the 
binary image are also listed in the table. Note that Cg^g is an MDS code. We 
find Ecgcs |PAut(C)| = where Cg = {Cgq, Cg, 2 , Cg.g}. 

Theorem 3 shows that there are no other Type II codes over Fg. 



Table 1. All Type II Fg-codes of length 8 



Code 


jPAutj 


Lee weight enumerator 


Binary image 


dn 


ds 


Cg.i 


1344 


y>3,i -|- 42(^3 , 2 


C24 


4 


4 


Cs,2 


96 


y>3,i + 6(^3 , 2 


C27 


4 


4 


Cg,3 


56 


Tip 


C28 ( 524 ) 


5 


8 



Theorem 4. There are three Type //Fg-codes of length 8, up to permutation- 
equivalence, one of which is extremal. 

Corollary 5. The ring C[(p 3 ,i, <^ 53 , 2 ] given in (2) is generated by the Lee weight 
enumerators of Type II codes over F g . 

The code Cgp is the extended binary Hamming code eg regarded as a code 
over Fg. The code Cg _2 is given in [8, Theorem 6.8]. It follows from Pasquier’s 
result [6] that Cg^g is permutation-equivalent to the extended Reed-Solomon 
code RSs (see Sect. 6.2). The code has the Hamming weight enumerator 

1 -h 392y5 + 588y6 + I736y7 + i379yS^ 

We have restricted ourselves so far to binary images with respect to a TOB, 
but one could consider the binary images with respect to arbitrary bases of Fg 
over F 2 . However, the results for the above three codes are uninteresting. Since 
Cgq has a binary generator matrix, its binary image is independent of the choice 
of a basis. As for C ^,2 and Cg^g, the binary image with respect to a basis B is 
self-dual if and only if H is a scalar multiple of the TOB Hg, and in this case, 
the binary image with respect to B is the same as the binary image with respect 
to Hg. 

By Theorem 3, the number of distinct Type II codes of length 16 is given by 
iV//^g(16) = rii=o(^* + ^)- "fifi® order of the permutation automorphism group 
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of each code is at most 16!. Since fV77^3(16)/16! > 1009611, there are at least 
1009612 Type II codes of length 16 up to permutation-equivalence. Therefore it 
seems infeasible to classify all Type II codes of this length. 

4 Type II Codes over IFie 

In this section, we study Type II codes over Fie = F2[a]/(a^ -I- a -I- 1). Let a 
be the Frobenius automorphism defined by = a^. 

Lemma 6. There are two TOB’s o/Fie, namely Sie,i = {a^ , and 

Bi6,2 = 55 ^ 6,1 = 

There is a unique Type II code of length 4 [5]. In this section, we classify 
Type II Fie-codes of length 8 with respect to the TOB Biep. According to 
a result of the first author [1], Type II codes with respect to are also 

Type II codes with respect to hence our result automatically implies the 

classification of Type II codes with respect to However, since Theorem 3 

is independent of the choice of a TOB, and we can check that all codes we 
found are also Type II codes with respect to Big, 2 by direct computation, our 
classification is in fact independent of [1]. 

Every Type II code C of length 8 is permutation-equivalent to a code with 
generator matrix of the form { I , A) where A is a 4 x 4 matrix over Fig. 
Thus we only need to consider the set of 4 x 4 matrices A, rather than the set of 
generator matrices. The set of matrices A was constructed, row by row, using a 
back-tracking algorithm. Permuting the rows of A gives rise to a generator matrix 
of a code which is permutation-equivalent to the code generated by ( / , A). We 
considered only those matrices A which are smallest among all matrices obtained 
from A by permuting its rows, where the ordering is defined by regarding an F ig- 
vector as an integral vector by some fixed ordering. Our computer search was 
done by constructing all matrices A such that the code generated by ( / , A ) 
is Type II. It is obvious that any Type II code is permutation-equivalent to one 
of the codes constructed. 

We list all Type II codes over Fig up to permutation-equivalence in Table 2. 
The second column gives the orders of the permutation automorphism groups, 
the third column gives the Lee weight enumerators, and the fourth column gives 
the binary images using the notation in [9, Tables III and IV]. The minimum 
Hamming weight dn and the minimum Lee weight ds, that is, the minimum 
weight of the binary image are also listed in the table. 

Note that the binary images of the codes Cig,!, . . . , Cig,5 and 5 turned 
out to be independent of the choice of a TOB. This is obvious for the codes 
Cigp, . . . , Cigq. Indeed, the orders of permutation automorphism groups tell 
us that these codes are permutation-equivalent to its Frobenius image. Since 
<Pb{C) = 4’b’'{C'^) for a code C and a TOB B, we see that for each of these four 
codes, the binary image with respect to Big,i is permutation-equivalent to the 
binary image with respect to Biq 1 = Big, 2. For C'ig,s, we have verified directly 
that the binary image with respect to Big,i is permutation-equivalent to the 




Type II Codes over F 2 ' 



107 



binary image with respect to This implies that the same is true for Cfg 5. 

It follows that the Lee weight enumerator of each of the Type II codes of length 
8 over Fig is independent of the choice of a TOB. We will see in Sect. 5 that 
there exists a Type II code over F 32 whose binary image depends on the choice 
of a TOB. 

In the same way as in the case of Fg, one can consider the binary images 
with respect to arbitrary bases. Since Cig^2 has a binary generator matrix, its 
binary image is independent of the choice of a basis. The binary images with 
respect to a scalar multiple of a TOB B are the same as the binary images with 
respect to B. If B is not a scalar multiple of a TOB and C yf Cig_2 is one of the 
codes listed in Table 2, then the binary image of C with respect to B is self-dual 
if and only if C = Cig^ and i? is a scalar multiple of {a, o? , a®, for some 

integer t, and in this case the binary image is C24. 

Theorem 7. There are six Type //Fig -codes of length 8, up to permutation- 
equivalence, one of which is extremal. 

As a check, we verify the mass formula: X^ceCie |pAiu!(C)| “ = -^77,4(8) 

where Cig = {Oig^, C'ig^2, Oig^s, Cig^, Oig^g, Ofg 5}. 



Table 2. All Type II Fig-codes of length 8 



Code 


|PAut| 


Lee weight enumerator 


Binary image 


d,H 


ds 


Cl6,l 


288 


¥’4,1 


C24 


3 


4 


Cl6,2 


1344 


¥’4,1 


C24 


4 


4 


Cl6,3 


15 


P4,2 — 3(y)4,2 — V54 ,i)/28 


C60 


3 


4 


Cl6,4 


8 


g>4,2 


C85 


4 


8 


Cl6,5, Cfa s 


96 


954,2 — (954,2 — 954 , 1)77 


C67 


4 


4 



The code Cig^ is the H-code with generator (0, 0, a®, which is the direct 
sum of the unique Type II code of length 4. The code Cig_2 is the extended 
binary Hamming code eg regarded as a code over Fig. The code Oig^ is the 
H-code with generator (1, given in [8, Theorem 6.9]. The code 

Cig,5 is the H-code with generator The code Cig^g has generator 

matrix ( / , Aig_3 ) where the rows of Aig_3 are (a^, 1, a®), 

(a®, a®. Of®®, a®), (0, 0, a®®, a®). 

By Theorem 3, the number of distinct Type II codes of length 12 is given by 
IV// 4(12) = T ^)- order of the permutation automorphism group 

of each code is at most 12!. Since A//^4(12)/12! > 4898, there are at least 4899 
Type II codes of length 12 up to permutation-equivalence. This is a weak bound, 
thus it seems infeasible to classify all Type II codes of this length. 

Let C be a [6 -I- t, t] code with t > 1 such that the minimum Lee weight 
is at least 12. By shortening C, we obtain a [6 -|-t— l,t — 1] code such that 
the minimum Lee weight is at least 12. This means that we can construct all 
[6 -I- t, t] codes such that the minimum Lee weight is at least 12 and that all the 
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Lee weights are divisible by 4, by computer search starting from t = 0, 1, 2, . . .. 
There is such a [10,4] code, however, we have found no such [11,5] code. Thus, 
we obtain the following result. 

Proposition 8 . There is no extremal Type II WiQ-code of length 12. 

We have found a Type II code of length 12 with the Lee weight enumerator 

^V54,i-^(/ 54,2+^V54.3 = x'‘®+558x‘‘°?/®+12832a:^®j/^^+550719a;^^?/^®H . 

oZ oZ 4i 

Hence we have the following: 

Corollary 9 . The ring C[(/?4p, <^54,3] given in (3) is generated by the Lee 

weight enumerators of Type II codes over F ig . 

It is known that there is an extremal Type II F ig-code of length 16 (see [7]). 



5 Type II Codes over IF32 



In this section, we give the classification of Type II codes of length 8 over 
F32 = F2[o;]/(a® + + 1). The method used is similar to the one given in 

the previous section, so we list the results only. Again we denote by cr the Frobe- 
nius automorphism defined by = a^. 

Lemma 10. There are six TOB’s ofWs2, nameZy H32P = {a^, a®, 0;^°}, 

Bs2,2 = {a®, B^2,2r ^32, 2r ^32,2 -®32,2- 

According to a result of the first author [1], Type II codes with respect to 
7332,1 are also Type II codes with respect to any other TOB, hence the classifica- 
tion is independent of the choice of the TOB. By the same reason we indicated 
in Sect. 4, this fact can be directly checked in our case. 

We list all Type II codes over F32 up to permutation-equivalence in Table 3. 
The second and fifth columns give the order of the permutation automorphism 
group of the code, the third and sixth columns give the minimum Hamming 
weight dn- 



Theorem 11 . There are 12 Type IIW^2-codes of length 8 , up to permutation- 
equivalence. 

As a check, we verify the mass formula: J2ceCs2 |PAut(C)| “ 67650 = iV//^5(8) 

where C32 = {C 32 ,i, 032,2, C^2,3i ^32,4 I J = 0: ) 4}. 

The code 032,1 is the extended binary Hamming code eg regarded as a code 
over F32. The code 032,4 is the H-code with generator (1, a®, given in [8, 



Theorem 6.10]. The code 032,3 is the H-code with generator 
The code 032,2 has generator matrix ( / , ^32,2 ) where the rows of ^32,2 
are (a®, a®, a^®), a^), a®®, a®), (a^®, 1, a®®, a®). The 

codes 032,2 and 0^2,4 (j = 0, 1 , ... ,4) are MDS codes. 
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Table 3. All Type II IF32-codes of length 8 



Code 


jPAutj 


dn 


Code 


jPAutj 


du 


G32,1 


1344 


4 


032,2 


1 


5 


032,3, 032,3, 032,3, 032,3, 032,3 


96 


4 


032,4, 032,4, 032,4, 032,4, 032,4 


8 


5 



Table 4. Binary images of Type II codes 





532,1 


532,2 


532,2 


-032,2 


032,2 


-032,2 




532,1 


532,2 


5s2,2 


-032,2 


RCT^ 

032,2 


R<T^ 

-032,2 


<732,1 


540,1 


540,1 


540,1 


540,1 


540,1 


540,1 


G32,2 


540,2 


540,3 


540,3 


540,3 


540,3 


540,3 


CO 

csT 


540,4 


540,4 


540,4 


540,5 


540,4 


540,4 


532,4 


540,6 


540,9 


540,6 


540,7 


540,8 


540,6 



The occurrence of self-dual codes with trivial automorphism group has been 
investigated (see [4, Sect. 7.5]). In particular, it is a problem to determine the 
smallest length for which there is a code with a trivial automorphism group for 
each class of self-dual codes. Note that <732,2 is the first example of a Type II 
IF2f-code with a trivial permutation automorphism group for r > 2 . 

We now consider the binary images of the Type II codes in C32 with respect 
to the six TOB’s. The binary images are listed in Table 4, and descriptions of 
the entries of Table 4 are given in Table 5. We do not list the binary images of 
the codes <7|’2,3, <7^2,4 (j = !> ■ • ■ , 4), since they can be derived from those of the 
codes <732,3, <732,4, respectively. 

Theorem 12. The six Type IIW32-codes <732,2, <7^2 4 (j = 0 , . . . , 4) are extremal 
with respect to each of the six TOB’s. 

By Theorem 3, the number of distinct Type II codes of length 16 is given by 
-^//,5(16) = + 1)- order of the permutation automorphism group 

of each code is at most 16!. Since fV//,5(16)/16! > 4 • 10^®, there are great many 
Type II codes of length 16 up to permutation-equivalence. Therefore it seems 
infeasible to classify all Type II codes of this length. 

An H-code over F32 of length 16 is given in [8, Theorem 6.13]. It was verified 
in [8] that the code is Type II with respect to i?32,i and We have verified 

that the minimum Lee weights of the code with respect to 532,1 and B^2 2 
(j = 0 , . . . ,4) are 12, that is, non-extremal. 



6 Other Codes 

6.1 Reconstruction of the Extended Golay Code 

One reason of interest in Type II codes over F2»- comes from the existence of 
the Type II IFg-code of length 8 which gives a new construction of the binary 
extended Golay code g24 [6,10]. In this subsection, we classify all Type II codes 
over IF2»- whose binary images are 324- 
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Table 5. Equivalences of the binary images 



Binary code 


Aut(R40,i) 


Minimum weight 


Weight enumerator 




526232406856826880 


4 






240 


8 


W!, - 70We>3,2 


D40.3 


6 


8 


- 70W,>3,2 


R40,4 


12079595520 


4 


- 60We>3,2 


Dio.s 


45298483200 


4 


- 60We>3,2 


D 40 X 


128 


8 


- 70W,>3,2 


D40.7 


64 


8 


VFes - 70We>3,2 


D40.S 


6144 


8 


W®, - 70We>3,2 


D40,9 


4608 


8 


Wl - 70Wlg>3,2 



By Theorem 3, it is sufficient to consider extremal Type II codes over F2>- of 
length n with (r, n) = (2, 12), (3, 8) and (6, 4). It was shown in [2] that there is a 
unique extremal Type II F4-code of length 12, up to permutation-equivalence. 
In Theorem 4, we showed that there is a unique extremal Type II IFg-code 
of length 8, up to permutation-equivalence, with respect to the unique TOB. 
Munemasa [5] shows that there is a unique Type II IF2r--code of length 4 with 
respect to a fixed TOB, for even r. The unique code contains a codeword of Lee 
weight 4 for any TOB. Therefore we have the following: 

Theorem 13. The only Type II codes over F2»- whose binary images are the 
binary extended Golay code are the unique extremal Type IlW^-code of length 
12 with respect to the unique TOB and the unique extremal Type IITFs-code of 
length 8 with respect to the unique TOB. 

6.2 Reed Solomon Codes 

Let RS 2 ^{a) be the extended Reed-Solomon F2>--code of length 2’’ which is the 
extended cyclic code generated by the polynomial Oi^i — a^), where a is 
a primitive element of IF2r . In this section, we discuss the Type II property and 
the extremality of all the extended Reed-Solomon codes of length 8, 16 and 32 
with respect to all TOB’s. To do this, it is enough to consider representatives of 
equivalence classes under permutations and the Frobenius automorphisms. We 
can easily verify that i?S'2>-(a“^) is permutation-equivalent to i?S'2»-(a), and that 
RS 2 ^{af) is the Frobenius image of i?S'2>-(a). Hence for r = 3 and 4, without loss 
of generality we may take the element a to be a primitive element a satisfying 
-I- a -I- 1 = 0 and o'* -I- a -I- 1 = 0, respectively. Let RS^ (resp. RSiq) denote 
the extended Reed-Solomon code RSs{a) (resp. RSie{a)) for this a. 

Proposition 14 (Pasquier [8]). The code RSs is an extremal Type //Fg-code 
of length 8 with respect to the TOB Rg, and the code RSiq is an extremal Type II 
Fig-code of length 16 with respect to the two TOB’s Rigp and Ri6,2- 

For r = 5, we take a to be a primitive element satisfying + 1 = Q 

as in Sect. 5. Then it suffices to consider RSz^ioi), RS^ 2 {oi^) and RS 32 {of’)- It 
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was shown in [8] that i?S' 32 (a) is a Type II code with respect to the two TOB’s 
given in [8] with minimum Lee weight cIl G {20, 24, 28}. Note that the generator 
polynomial of the code was incorrectly reported. The correct polynomial is 

g{x) = 

+a^x"^ + a®® a;® + + a^^x^ + a^^x^ + + a^^x + . 



Proposition 15. The codes RS^ 2 {oi) , i?S' 32 (a®) and RS^ 2 {oi^) are non- extremal 
Type IIW^ 2 ~codes with respect to each of the six TOB’s. 

Proof. It is easy to check that i?5'32(a), i?S' 32 (a®), i?S' 32 (a®) are Type II with 
respect to each of the TOB’s. Moreover, we have found a codeword of Lee weight 
24 for each of these codes. □ 
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Abstract. This paper studies senary simplex codes of type a and two 
punctured versions of these codes (type f3 and 7 ). Self-orthogonality, 
torsion codes, weight distribution and weight hierarchy properties are 
studied. We give a new construction of senary codes via their binary and 
ternary counterparts, and show that type a and (5 simplex codes can be 
constructed by this method. 



1 Introduction 

There has been much interest in codes over finite rings in recent years, especially 
the rings l 2 k where Z2fc denotes the ring of integers modulo 2k. In particular 
codes over Z4 have been widely studied [1], [5], [6], [7], [8], [9], [10], [11], [12]. More 
recently Z4-simplex codes (and their Gray images), have been investigated by 
Bhandari, Gupta and Lai in [2]. Good binary linear and non-linear codes can 
be obtained from codes over Z4 via the Gray map. Thus it is natural to inves- 
tigate simplex codes over the ring Z2fc. In particular, one can construct mixed 
binary/ternary codes via senary codes by applying the Ghinese Gray map (see 
Example 1). Motivated by this (apart from practical applications such as PSK 
modulation [4]), in this paper we consider senary simplex codes, and investi- 
gate their fundamental properties. We also study their Ghinese product type 
construction. 

A linear code C, of length n, over Ze is an additive subgroup of Zg. An 
element of C is called a codeword of C and a generator matrix of C is a matrix 
whose rows generate C. The Hamming weight wh{x) of a vector x in Zg is 
the number of non-zero components. The Lee weight wr(x) of a vector x = 
(xi, X 2 , ■ ■ ■ , Xn) is X^r=i ~ Xi\\. The Euclidean weight we{x) of a 

vector X is , (6 — The Euclidean weight is useful in connection 

with lattice constructions. The Chinese Euclidean weight wce{x) of a vector 
X G ZJ)j is X^r=i {2 — 2 cos (^^)|- This is useful form — PSK coding [4]. The 
Hamming, Lee and Euclidean distances dH{x,y), dE{x,y) and dE{x,y) between 
two vectors x and y are wh{x — y), wl{x — y) and we{x — y), respectively. The 
minimum Hamming, Lee and Euclidean weights, dn^dr and dE, of C are the 
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smallest Hamming, Lee and Euclidean weights among all non-zero codewords of 
C, respectively. 

The Chinese Gray map (/) : Zg — >• Z 2 Z 3 is the coordinate-wise extension of 
the function from Zg to Z 2 Z 3 defined by 0 — 1 (0, 0), 1 — >■ (1, 1), 2 — >• (0, 2), 3 — >■ 
(1, 0), 4 — >■ (0, 1) and 5 —1 (1, 2). The inverse map is a ring isomorphism and 
so is 4>[G\. The image of a linear code C over Zg of length n by the Chinese 
Gray map, is a mixed binary/ternary code of length 2n. 

The dual code of C is defined as {x G Zg | a; • y = 0 for all y G C} where 
X ■ y is the standard inner product of x and y. C is self-orthogonal if C C and 
C is self-dual if C = C-^. 

Two codes are said to be equivalent if one can be obtained from the other 
by permuting the coordinates and (if necessary) changing the signs of certain 
coordinates. Codes differing by only a permutation of coordinates are called 
permutation- equivalent. 

In this paper we define Zg-simplex codes of type a,/3 and 7 namely, S'^, 
and and determine some of their fundamental parameters. Section 2 
contains some preliminaries and notations. Definitions and basic parameters of 
Zg-simplex codes of type a, (3 and 7 are given in Section 3. Section 4 investigates 
their Chinese product type construction. 

2 Preliminaries and Notations 

Any linear code C over Zg is permutation-equivalent to a code with generator 
matrix G (the rows of G generate C) of the form 

Iki Ai _2 Ai _3 A 17 

G= 0 24 , 2 ^ 2 , 32 ^ 2.4 , (1) 

0 0 3/^3 3^3,4 

where the Ai^ are matrices with entries 0 or 1 for i > 1, and 4 is the identity 
matrix of order k. Such a code is said to have rank {l^L 2^^, 3^^} or simply rank 
{ki, ^ 2 ,^ 3 } and \C\ = 6^i3*^2^^ [1]. If /c 2 = ^3 = 0 then the rank of C is {fci, 0, 0} 
or simply k\ = k. 

To each code C one can associate two residue codes viz C 2 and C 3 defined as 
C 2 = {v \ V = w (mod 2), w G C}, 

and 

Cs = {v \ V = w (mod 3), w G C}. 

Code C 2 is permutation-equivalent to a code with generator matrix of the form 

f 4i ^ 1,2 ^ 1,3 ^ 1,4 \ 

0 0 34a 3A3.4 J ’ ^ ’ 

where Ai_j are binary matrices for i > 1. Note that C 2 has dimension k\ -\- 4- 
The ternary code C 3 is permutation-equivalent to a code with generator matrix 
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of the form 

/ Iki ^ 1,2 ^1,3 ^1,4 \ /o', 

0 2 /fc, 2/42.3 2/42.4 J ’ ^ ’ 

where Aij are binary matrices for z > 1. Note that C 3 has dimension k\ + k2- 
One can also associate two torsion codes with C viz C 2 * and C 3 defined as 

C 2 = I - I c = (ci, . . . , c„) G C and Cj = 0 (mod 3) for 1 < z < n| 

and 

C3 = I ^ I c = (ci, . . . , c„) G C and Ci = 0 (mod 2) for 1 < z < n| . 

If ^2 = ^3 = 0 then Ci = C* for z = 2, 3. 

A linear code C over Ze of length n and rank {fci, ^ 2 , ^ 3 } is called an [n; k\,k2, 
ks] code. If ^2 = ^3 = 0, C is called an [n, k] code. In the case of simplex codes 
we indeed have k 2 = k^ = 0. 

Let C : [n; ki,k 2 , k^] be a code over Zg. For ri < ki,V 2 < ^ 2 , ?"i + f 2 + ?'3 < 
ki + k2 + ks, the Generalized Hamming Weight of C is defined by 

dri,r 2 , 7'3 = min {ws(T>) | 2 ? is an [n; r\,r2, T 3 ] subcode of C} , 

where ws{'D)-, called support size of T>, is the number of coordinates in which 
some codeword of T> has a nonzero entry. The set {dn.r 2 ,r- 3 } is called the weight 
hierarchy of C. 

We have the following Lemma connecting the support weight and the Chinese 
Euclidean weight. 

Lemma 1 . Let T> : [rz; ri, T2, r3] he a senary linear code then 

^ wce{c) = 2’'i+’'3+i . . ws{V). 

cei> 

Proof. Consider the (rxn) array of all the codewords in T> (where r = 6’’^3’’^2’''*). 
It is easy to see that each column consists of either 

1 . only zeros 

2. 0 and 3 equally often 

3. 0, 2 and 4 equally often 

4. 0, 1, 2, 3, 4, 5 equally often. 

Let rzj, z = 0, 1, 2, 3 be the number of columns of each type. Then zzi + zz 2 + 
ri 3 = ws{L)). Now applying the standard arguments to evaluate the sum yields 
the result. 

Thus for any linear code C over Zg, < 2 ^ 1 , r 2 , 7-3 may also be defined by 
druT2,r3 = 2n+r3+i.yi+r2 ^wc£;(c)|T>is an [rz;ri,r2,r3] subcode of C 

Uei> 
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3 Senary Simplex Codes of Type ck, (3 and 7 

Let be a fc X 2^3^ matrix over Zg consisting of all possible distinct columns. 
Inductively, G^ may be written as 



'00---0 


11- --i 


22- ••2 


33- - ^ 


44 ... 4 


55- ••5] 


/^OL 

. '^k-1 


^k-l 


^k-1 


^k-1 


^k-l 


1 

7 



with G“ =[012345]. The code generated by Gg has length 6^ and the rank 
of is {k, 0, 0}. 

The following observations are useful to obtain the weight distribution of S^. 

Remark 1. If Ak-i denotes the x 6^“^) array consisting of all codewords 

in and if J is the matrix of all I's then the (6* x 6*) array of codewords 

of S'^ is given by 

Ak-i Ak-i Ak-i Ak-i Ak-i Ak-i 

Ak-i J + Ak-i 2J + Ak-i 3J + Ak-i 4J + A^-i 5J + A^-i 
Ak-i 2J + Ak-i 4J + Ak-i Ak-i 2J + Ak-i 4J + Ak-i 
Ak-i 3J + Ak-i Ak-i 3J + Ak-i Ak-i 3J + Ak~i 
Ak-i 4J + Ak-i 2J + Ak-i Ak-i 4,7 + Ak~i 2J + Ak~i 
Ak-i 5J + Ak-i 4J + Ak-i 3J + Ak-i 2J + Ak~i 1 J + Ak~i 

Remark 2. If i?i, i? 2 , .Rfc denote the rows of the matrix G^ then wniRi) = 
5-6’^-\wL{Ri) = = 19- 6'=-! and wcsiRi) = 2 • 6^ 

It may be observed that each element of Zg occurs equally often in every row of 
G^. Let c = (ci,C 2 , . . . ,c„) G C. For each j G Zg let Wj(c) = |{z | = j}\. We 

have the following lemma. 

Lemma 2. Let c G 5^, c 0. 

1. If for at least one i, Ci is a unit (1 or 5) then Vj G Zg ujj = ■ 3^“^ in c. 

2. If Mi, a G {0,±2} then Mj G {0,±2} ojj = 2^ ■ in c. 

3. If Mi, Ci G {0,3} then Mj G {0,3} ujj = 2^“^ • 3^ in c. 



Proof. By Remark 1, any x G gives rise to six codewords of Sjj: 



2/1 = 




X 




x\ 


x\ 


X 


1, 


















2/2 = 


} 


1 


+ 


X 


2 


+ 


X 


3 


+ 


X 


4 


+ 


X 


5 


+ x) , 


2/3 = 


} 


2 


+ 


X 


4 


+ 


X 


X 


2 


+ 


X 


4 


+ 


X 


). 


2/4 = 


} 


3 


+ 


X 


X 


3 


+ 


X 


a; 


3 


+ 


X 








2/5 = 


( 

X 


4 


+ 


X 


2 


+ 


X 


X 


4 


+ 


X 


2 


+ 


X 


). 


and 




























2/6 = 1 


( 


5 


+ 


X 


4 


+ 


X 


3 


+ 


X 


2 


+ 


X 


1 


+ a: ) , where i 



Now the result can be easily proved by induction on k. 
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Now we recall some known facts about binary and ternary simplex codes. 
Let G{Sk) (columns consisting of all non-zero binary fc-tuples) be a generator 
matrix for an [n,k] binary simplex code Sk- Then the extended binary simplex 
code (also known as a type a binary simplex code), Sk is generated by the matrix 
G{Sk) = [0 G(5'fe)]. Inductively, 

G{Sk) = G(^fc_!) ^ 

The ternary simplex code of type a is defined inductively by 




and the ternary simplex code is defined by the usual generator matrix as 




Now we determine the torsion codes of the senary simplex code of type a. 

Lemma 3. The binary (ternary) torsion code of is equivalent to 3^ copies of 
the binary type a simplex code (2^ copies of the ternary type a simplex code) . 

Proof. We will prove the binary case by induction on k. The proof of ternary 
case is similar and so is omitted. Observe that the binary torsion code of is 
the set of codewords obtained by replacing 3 by 1 in all 2-linear combinations of 
the rows of the matrix 




Clearly the result holds for k = 2. Assuming that the binary torsion code 
is equivalent to the 3^“^ copies of the extended binary simplex code, we have 
[3G(S'fc_i)|- • •|3G(S'fc-i) ] in place of 5Gk_i in the above matrix. Now regrouping 
the columns in the above matrix according to (4) yields the desired result. 

As a consequence of Lemmas 2 and 3, one gets the weight distribution of S^. 

Theorem 1. The Hamming, Lee, Euclidean and C-Euclidean weight distribu- 
tions of are 

1. Aff (0) = 1, Aff (3 • 6'=-!) = {2^ - 1), Aff (4 • 6'=-i) = (3^= - 1), 

Ah(5-6'=-1) = (2'= - 1)(3'= - 1). 

2. Al(0) = 1,Al(8-6'=-1) = (3'= - 1), Al(9 • 6'=-^) = 3'=(2'= - 1) - 1. 

3. Ae{0) = 1, Ae{27 ■ 6'=-!) = (2^= - 1), Ab(16 • 6'=-i) = (3'= - 1), 

Ab(19 • 6'=-^) = (2'=- 1)(3'=- 1). 

I Ace{A) = 1, Acb(2 • = 3^= • 2^= - 1, 

where Ae{i) (Aj;,(i)) denotes the number of vectors of Hamming (Lee) 
weight i in S)), and similarly for the Euclidean weights of both types. 
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Proof. By Lemma 2, each non-zero codeword of has Hamming weight either 
3 • 6^“^, 4 • 6^“^, or 5 • 6*“^ and Lee weight either 8 • 6^“^ or 9 • 6^“^. Since the 
dimension of the binary torsion code is k, there will be 2^ — 1 codewords of the 
Hamming weight 3 • 6^“^, and the dimension of the ternary torsion code is k, 
so there will be 3^ — 1 codewords of the Hamming weight 4 • 6^“^. Hence the 
number of codewords having Hamming weight 5 • 6^“^ will be 6^ — (3* -I- 2* — l) . 
Similar arguments hold for the other weights. 

The symmetrized weight enumerator (swe) of a senary code C is defined as 

SWec{a,b,C,d) cn^ix) ^ 

x^C 

where ni{x) denotes the number of j such that Xj = ±L Let 5^ be the punctured 
code of obtained by deleting the zero coordinate. Then the swe of is 

swega (a, b, c, d) = 1 + (2* — l)d(ad)^'^ ~^-|- 

(3'= - (2fc _ 1) (3fc _ l)d(ad)6''~'-i (5 c)2'6'“-\ 

Remark 3. 1. is an equidistant code with respect to Chinese Euclidean dis- 

tance whereas the binary (quaternary i.e, over Z4) simplex code is equidistant 
with respect to Hamming (Lee) distance. 

2. The minimum weights of Sf: are: dn = 3 ■ = 8 • = 16 • 

6'=-i,dcB = 2-6'=. 

Example 1. Consider the 6"^ = 1296 codewords of the senary code generated by 
the following generator matrix 

11111111 
22220000 
22002200 
20202020 . 

33334444 

33443344 

34343434 

Using the Chinese Gray map results in a mixed code with 8 binary and 8 ternary 
coordinates, which gives Ai(8,8,4) > 1296, while the ternary code of length 8, 
dimension 4 and distance 4 is optimal [3] . 

Let Hfe be the fc x 3^ • (2^ — 1) matrix defined inductively by Ai = [135] and 
Ak 

for fc > 2; and let gk be the k x ■ (3^ — 1) matrix defined inductively by 
= [12] and 

0---0 | l---l | 2---2 | 3---3 ' 

Mfe-i G'^-i hk-i 




hk = 
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for fc > 2, where is the generator matrix of S^_^. 

jO 1 ~) 

Now let be the k x i matrix defined inductively by 



and for A: > 2 



'111111 


0 


222 


33' 


012345 


1 


135 


12 




where is the generator matrix of S^_^. Note that G^ is obtained from G^ by 
deleting +i)(3^-i)+2 — columns. By induction it is easy to verify that no two 

columns of Gf are multiples of each other. Let S'f be the code generated by Gf . 
Note that S'^ is a -,k code. To determine the weight distributions 

of we first make some observations. 

The proof of the following proposition is similar to that of Proposition 2. 



Proposition 1. Each row of contains 6* ^ units and 

W2 +W4 = - l),o;3 = 2'=-2(3 '=-i - l),u;o = ^ 



~ 2 



Remark 4- Each row of G^ has Hamming weight (3^ ^ • (2^ — 1) + 2* 
•(3'=-! - 1)) , Lee weight (2 • 3'=-i(3 • - 1) + 3 • - 1)) , Euclidean 

weight (3^“^(19 • 2*“^ — 4)— 9 • 2*“^) , and Chinese Euclidean weight 6 ^ — 2^ — 3^. 

The proof of the following lemma is similar to the proof of Lemma 2. 

Lemma 4. Let c G S^, c yf 0. 

1. If for at least one i, Ci is a unit then Vj G Zg wi + ws = 6 ^“^, 

W2 +W4 = 3'=-i(2'=-i - 1),W3 = 2'=-2(3 '=-i - l),Wo = c. 

2. //Vi.Ci G{0, ±2} thenWj G {0,±2} u; 2 +c ^4 = 3'^~^(2'=-l), 
in c. 

3. If Mi, Ci G {0,3} then Vj G {0,3} W 3 = 2'="2(3'= - 1),wq = 

c. 

The proof of the following lemma is similar to that of Lemma 3 and is omitted. 

Lemma 5. The binary (ternary) torsion code of S)) is equivalent to - — 2 — ~ 
copies of the binary simplex code (( 2 * — 1 ) copies of the ternary simplex code). 

The proof of the following theorem is similar to that of Theorem 1 and is omitted. 

Theorem 2. The Hamming, Lee weight, Euclidean and C-Euclidean weight dis- 
tributions of are: 

1. Ah{0) = 1, Ah (2'=-2 . (3'= - 1)) = (2'= -1),Ah (3'=-i • (2^= - 1)) = (3'= - 1), 
Ah ( 3 '="^ • (2'= - 1) + 2'=-2 . (3'=-! - 1)) = (2'= - 1)(3'= - 1). 
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2. Al(0) = 1,Al (3- 2'=-2(3'= - 1)) = (2^-1), Al (2- 3'=-1(2'= - 1)) = (3'=-l), 
Al (2 • 3'=-i(3 • 2'=-2 - 1) + 3 • 2'=-2(3'=-i - 1)) = (2'= - 1)(3'= - 1). 

3. Ae(0) = 1, Ae (9 • 2'=-2(3'= - 1)) = {2^ - 1), (4 • 3'=-i(2'= - 1)) = (3'= - 

1),Ae (3'=-1(19- 2'=-2 -4) - 9-2'=-2) = (2^= - 1)(3'= - 1). 

I Ace{0) = 1,Ace{6^ - 2 ^=) = ( 2 ^= - 1),Ace{6^ ~ 3^) = ( 3 '= - 1 ), 

Ace{Q'' -2'^- 3'=) = (2^= - 1)(3'= - 1), 

where Ah{i) (^l(i)) denotes the number of vectors of Hamming (Lee) 
weight i in S)(, and similarly for the Euclidean weights of both types. 

Remark 5. 1. The swe of is given as 

swe{a,b,c,d) = l + + 

where n{k) = P{k) = 3^(2^ — 1) and q{k) = 2^“^(3* — 1). 

2. The minimum weights of are: dn = 2^“^(3^ — l),dL = 2 • 3^“^(2^ — 
l),dE = 4 - 3'=-1(2'= - l),dc£; = - 2^= - 3'=. 

Let G). be the k x 2^“^ (3* — 2*) matrix defined inductively by 



and for k > 2 




where G'^_j^ is the generator matrix of Note that is obtained from G^ 

by deleting 2^“^ (2^ + 3^) columns. By induction it is easy to verify that no two 
columns of G^ are multiples of each other. Let be the code generated by G). 
Note that S') is a [2''“^(3* — 2^),/c] code. 



Proposition 2. Each row of G) contains 6^^ units and 

UJo = UJ2 = UJ3 = UJi = 2 '=- 2 ( 3 '=-i - 2 '=-!). 



Proof. Clearly the assertion holds for the first row. Assume that the result holds 
for each row of G^_^. Then the number of units in each row of G^_j^ is By 

Lemma 2, the number of units in any row of G'^_^ is 2^“^ • 3^“^. Hence the total 
number of units in any row of G^ will be 2*“^ •3^“^ + 4-2^“^-3^“^ = 2^~^ -3*“^. 
A similar argument holds for the number of O’s, 2’s, 3’s and 4’s. 



Remark 6. Each row of G). has Hamming weight 3-2^ ^ [5 • 3^ — 2^ ^] , Lee 

weight 2'=-2 [3'=+! - 7 • 2'=-ij , Euclidean weight 2'="2 [l9 • 3'=-^ - 17 • 2'="i] , and 
Chinese Euclidean weight 6^ — 5 • 4*“^. 

The various weight distributions of Sf can be obtained using arguments 
similar to other simplex codes. To save the space we omit them. 

The weight hierarchy of is given by the following theorem. 
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Theorem 3. The weight hierarchy of S'^ is given by 

n ('<?“'! _ fife _ ok-ri-T2 r,k-ri-r3 

Uri ,r2,r3 1 — O O Z 

Proof. By Remark 3 and the definition of dri,r 2 ,r 3 after the Lemma 1. 

4 Chinese Product Type Construction 

The Chinese remainder theorem (CRT) plays an important role in the study 
of codes over 1j2k [4,6]. In particular, given binary and ternary linear codes of 
length n and dimension k, one can construct a senary code (over Ze) of length 
n using CRT. The following theorem is from [4,6]. 

Theorem 4. [4,6] If B and T are linear codes of length n over GF(2) and 
GF{3), respectively, then the set GRT{B,T) = \ C(, G B,Ct G T} is 

a linear code of length n over Zg. Moreover if B and T are self-orthogonal then 
GRT{B,T) is also self-orthogonal. 

If generator matrices of B, T and CRT{B,T) are G{B),G{T) and G{CRT 
(B,T)), respectively, then we have (f){G{C RT{B ,T))) = [G{B)\G(T)] , where (j> 
is the Chinese Gray map. If the codes B and T are of different lengths, say, 
ni and ri 2 then it seems that no non-trivial method is known to construct a 
code over Zg from these codes. In the trivial case of course one can add extra 
zero columns to the generator matrix of the code of shorter length and then use 
Theorem 4. Here we present a new construction of a generator matrix of senary 
code from codes of different lengths. 

Let G{B) = [xiX 2 ...Xnf\ and G{T) = [ 2 / 12/2 2 / 712 ] where x^,yi are the 

corresponding columns. Now form the matrix G{B)-kG{T) consisting of the nin 2 
pairs of total 2n\n2 columns {xiy\Xiy 2 . . . a^i 2 /n 2 }"=i- These pairs of columns give 
a generator matrix of length niU 2 (the product of the lengths of the binary and 
ternary codes) over Zg using the inverse Chinese Gray map. In particular, if 
n\ = U 2 = n then we get a code of length . Note that if we use the Theorem 
4 to construct a generator matrix for the case of ni = U 2 = n, we obtain a code 
of length n with generator matrix [xi2/i 3 ^ 22/2 • ■ ■ a:„2/n]- In this case, the resulting 
code will be self orthogonal if the corresponding binary and ternary codes are 
self orthogonal [6] . Similarly it is easy to see that 

Lemma 6. The senary codes constructed by G{B) *G{T) will be self orthogonal 
if the corresponding codes B and T are self orthogonal. 

The next two results show that self-orthogonal simplex codes of type a and 
(3 can be obtained from the construction G{B) * G{T). 

Theorem 5. The codes and can be obtained via the construction G{B) * 
G{T). 

Proof. We will only prove the result for S^, since the other case is similar. If 
we apply the Chinese Gray map to the generator matrix G^, we see that it is 
equivalent to the matrix G{Sk) *T[f, where Tjf is defined in (5). 
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Theorem 6. The codes {k > 3) and (k > 2) are self orthogonal. 

Proof. The result follows from Lemma 6 and Theorem 5. It can also be proved by 
induction on k since the rows of the generator matrices are pairwise orthogonal 
and each of the rows has Euclidean weight a multiple of 12 [1]. 

Remark 1. The code Sf. is not self-orthogonal as the Euclidean weights of the 
rows of G\ are not a multiple of 12. 
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Abstract. Recently, an optimal formally self-dual ^ 4 -code of length 14 
and minimum Lee weight 6 has been found using the double circulant 
construction by Duursma, Greferath and Schmidt. In this paper, we clas- 
sify all optimal double circulant Z 4 -codes up to length 32. In addition, 
double circulant codes with the largest minimum Lee weights for this 
class of codes are presented for lengths up to 32. 



1 Introduction 

Some of the best known non-linear binary codes which are better than any 
comparable linear codes are the Nordstorm-Robinson, Kerdock and Preparata 
codes. The Nordstorm-Robinson and Preparata codes are twice as large as the 
best linear codes for the same parameters. The Nordstorm-Robinson, Kerdock 
and Preparata codes are the Gray map images (j){C) of some extended cyclic 
linear codes C over Z4 [6]. In particular, the Nordstorm-Robinson code is the 
Gray map image 4 >{C>s) of the octacode Os, which is the unique self-dual Z4-code 
(O = O'*") of length 8 and minimum Lee weight 6. 

The Z4-dual of 4 >{C) is defined as 4 >{C-^) [6]. 4 >{C) is called formally self-dual 
if ^(O) and have identical weight enumerators. The Gray map image 

of a self-dual code over Z4 is formally self-dual [2]. A Z4-code with the same 
symmetrized weight enumerator as its dual code is called formally self-dual. 
The Gray map image of a formally self-dual Z4-code is also formally self-dual. 
Moreover, there exist formally self-dual Z4-codes which have a better minimum 
Lee weight than any self-dual code of that length. Recently, an optimal formally 
self-dual Z4-code of length 14 and minimum Lee weight 8 has been found using 
the double circulant construction [4]. It is natural to consider formally self- 
dual Z4-codes in order to construct better binary non-linear formally self-dual 
codes. This motivates our investigation of optimal double circulant Z4-codes with 
respect to Lee weights. Double circulant codes are a class of isodual codes and 
formally self-dual codes [1]. Optimal double circulant codes over Z4 with respect 
to Euclidean weights were found in [1] to construct dense isodual lattices. 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 122-128, 2001. 
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This paper is organized as follows. In Sect. 2, we give basic definitions and 
known results for codes over Z4. Sect. 3 presents a unique double circulant code 
of length 14. In Sect. 4, we give a classification of optimal double circulant codes 
of lengths 6 and 10. In Sect. 5, double circulant codes with the largest minimum 
Lee weight for this class of codes are constructed for lengths up to 32. It is 
also demonstrated that there are no optimal double circulant codes for lengths 
n = 8, 12 and 16 < n < 32, which completes the classification of all optimal 
double circulant codes up to length 32. Table 1 gives the largest minimum Lee 
weights d(DCC) of double circulant codes up to length 32. If the minimum Lee 
weight d(DCC) is optimal (see Sect. 2 for the definition), it is marked by *. 
For comparison purposes, the largest minimum Lee weights d(SDC), of self-dual 
codes are also given. The values of d(SDC) are from [8] and [9]. 



Table 1. Largest minimum Lee weights 



Length 


d(DCC) 


d(SDC) 


Length 


d(DCC) 


d(SDC) 


2 


2* 


2 


18 


8 


8 


4 


4* 


4 


20 


9 


8 


6 


4* 


4 


22 


10 


8 


8 


4 


6 


24 


10 


12 


10 


6* 


4 


26 


10 


< 10 


12 


6 


4 


28 


12 


< 12 


14 


8* 


6 


30 


12 


< 12 


16 


8 


8 


32 


12 


< 16 



2 Codes over Z 4 

A code C of length n over Z4 (or a Z4-code of length n) is a Z4-submodule 
of Z4 where Z4 is the ring of integers modulo 4. A generator matrix of C is a 
matrix whose rows generate C . An element of C is called a codeword of C. The 
symmetrized weight enumerator of C is given by 

swec(a,b,c) = ^ ^ 

x^C 

where rii{x) is the number of components o^ x £ C that are equal to i. The Lee 
weight wt^^x) of a vector x is defined as rii(x) -I- 2u2(x) -I- n^{x). The minimum 
Lee weight of C is the smallest Lee weight among all non-zero codewords of 
C. We say that two codes are equivalent if one can be obtained from the other 
by permuting the coordinates and (if necessary) changing the signs of certain 
coordinates. For x = (xi,...,Xn) and y = (yi,...,y„), we define the inner 
product of X and j/ in Z4 by x • j/ = Xiyi -I- • — h Xnyn- The dual code C-^ of C is 
defined as C-^ = {x G Zf | x • y = 0 for all y G C}. C is self-dual ii C = C-^, and 
C is isodual if C and C-^ are equivalent [1]. We say that C is formally self-dual 
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if swec{a,b,c) = swec^{a,b,c). Of course, a self-dual code is also isodual and 
an isodual code is also formally self-dual. The symmetrized weight enumerators 
of isodual codes over Z4 were investigated in [1]. 

The Gray map </> is defined as a map from Z4 to F2" mapping (xi, . . . , Xn) to 
((p(xi), (f(xn)), where (^(0) = (0, 0), ^^(l) = (0, 1), (f(2) = (1, 1) and (p(3) = 
(1,0). This is an isometry from (Z4, Lee distance) to (F^", Hamming distance). 
The Gray map image ^(G) of a Z4-code C need not be F2-linear and the dual 
code may not even be defined. The Z4-dual of c/>(C) is defined as <()(G-*-) [6]. Note 
that the weight distributions of </>(C) and (/>(C-‘-) are MacWilliams transforms 
of one another. In addition, we say that 4>{C) is formally self-dual if the weight 
distributions of 4>{C) and are the same [2]. Of course, the Gray map 

image of a self-dual code over Z4 is formally self-dual [2] . The Gray map image 
of a formally self-dual code keeps this property. 

A (pure) double circulant code (DGG) has a generator matrix of the form 

(inR), ( 1 ) 

where is the identity matrix of order n and i? is an n by n circulant matrix. 
The matrix (1, 1) generates the unique (trivial) DGG of length 2. For length 4, 
it is easy to see that a DGG is equivalent to one of the three codes 04^1, £>4^2 
and D4^3 with R in the generator matrices (1) given by the following matrices 




respectively. Since the symmetrized weight enumerators of the three codes are 
distinct, the codes are inequivalent. D4 3 is equivalent to the self-dual code with 
dr = 4. D4 3 is the unique double circulant code with dr = 4. 

We say that a Z4-code C of length n and minimum Lee weight dr is optimal 
if there is no binary (2n, |G|, dr + 1) code (including non-linear) by the sphere- 
packing bound. For example, since there are no binary codes with parameters 
(4, 2^,3) and (8, 2"*, 5) by the sphere-packing bound, the above double circulant 
codes of length 2 (resp. 4) and dr = 2 (resp. 4) are optimal. We will demonstrate 
that there are optimal double circulant codes for lengths 2,4,6,10 and 14. A 
double circulant code is called DCC-optimal if it has the largest minimum Lee 
weight among all double circulant codes of that length. 

3 A Unique Optimal Double Circulant Code of Length 14 

Recently Duursma, Greferath and Schmidt [4] have found an optimal formally 
self-dual Z4-code G14 of length 14 (that is, it has minimum Lee weight 8). This 
code was discovered by an exhaustive search under some condition on the binary 
reduction. This motivates our interest in the classification of all double circulant 
codes with dr = 8. 
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By exhaustive search, we have found all distinct double circulant codes with 
<1l = 8. The codes have generator matrices (1) with the following first rows of 
R: 

(3133211), (1311233), (2331311) and (2113133). 

Let C be a double circulant code with generator matrix (1). It is obvious that a 
cyclic shift of the first row of R defines an equivalent double circulant code. In 
addition, the codes with the following generator matrices 

{ln-R),{lnR^) and (R-R^), 

are double circulant codes which are equivalent to C, where denotes the 
transpose of R. This can reduce the number of codes which must be checked 
further for equivalence to complete the classification. For the above codes, this 
is sufficient to determine that the four codes are equivalent. 

Theorem 1. There is a unique optimal double circulant ^ 4 -code of length 14 
and minimum Lee weight 8 , up to equivalence. 

The unique code has the following symmetrized weight enumerator: 

+ 21a^°c^ + 168a®&'‘c^ + 336a^5'‘c^ + 64a^c^ + 112a®6® + 896a®5^c 
+504a®6^c‘‘ + 35a® c® + 336a® + 672a® 6^ c® + 1008a^5®c2 + 4480a^6^c® 

+504a^6^c® + 1568a®&®c® + 336a®6"‘c^ + 2240%^"^ + 1008a^6®c^ + 2688a^6^c® 
+168a^6^c® + 7a^c®2 + MSab^'^c + 336a6®c® + 224b^‘^c^ + 1126® c® + 1286^c^. 

4 Optimal Double Circulant Codes of Lengths 6, 8 and 10 

— Length 6: The largest minimum Lee weight among all double circulant 
codes of length 6 is 4. Any formally self-dual code of this length with dr = 4 
is optimal by considering the sphere-packing bound on the Gray map image. 
A double circulant code with = 4 is equivalent to one of the codes Dq_i, 
Dq^ 2 , De ,3 and He , 4 with first rows of R given by 

(210), (311), (221) and (321), 

respectively. £> 6,3 is equivalent to Vf in [3] which is the unique self-dual 
code with dr = 4. The symmetrized weight enumerators of £>6,ii 1^6,2 and 
£>6,4 are as follows: 

= a® -I- 3a^c^ -I- 12a® 6^c -I- 3a^c"‘ -I- 24a6'^c -I- 12a6^c® -I- 86® -I- c® 
sw 6 Dg ^2 = + 3a^c^ -I- Qa^b^c + 6 a^b‘^ + I2a^b^c^ + 2,afc^ + 12ab‘^c 

-b 6 a 62 c® -b 86 ® -b 66 ^ 0 ^ -b c® 

= a® -b 4a® c® -b 6a^6^ -b 24a^6®c -b 3a^c^ -b 12a6‘*c -b 66"* -b 86® c®. 

We now consider the binary Gray map images </>(£>6,i), ^^(£>6,2), </>(£*6,3) and 
<('(£>6,4) of the above four optimal double circulant codes. We have verified 
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that 4>{Dq i) and are linear while 4 >{Dq^ 2 ) and 4 >{Dq^ 4 ) are non-linear. 

Since the Hamming weight distributions of 4>{Dq^2) and (j}{DQ^i) are distinct, 
the two codes are inequivalent. Our computer search shows that 4>{Dq^3) is 
equivalent to the unique self-dual [12,6,4] code; and is a formally 

self-dual [12, 6, 4] code which is not self-dual and is equivalent to Ci2,2 in [5]. 
Therefore the Gray map images of the four codes are inequivalent. 

Proposition 1. There are exactly four inequivalent optimal double circulant 
codes of length 6 and minimum Lee weight 4. The Gray map images of the 
four codes are also inequivalent. 

— Length 8: We have verified that there is no DCC of length 8 and minimum 
Lee weight 6. In fact, the largest minimum Lee weight of a DCC of length 8 is 
4. The octacode is the unique self-dual code of this length and minimum 
Lee weight 6. It is well known that Os is optimal and its Gray map image 
is the Nordstorm-Robinson code. 

— Length 10: By exhaustive search, we have found all distinct double cir- 
culant codes of length 10 and minimum Lee weight 6. All distinct codes 
Dioq, . . . , Dio, 6 and Dio, 7 which must be checked further for equivalence to 
complete the classification have the following first rows of R: 

(21110), (12110), (32110), (23110), (31210), (32211) and (32121), 

respectively. For the cases (i,j) = (1,2), (4, 5) and (6,7), we have verified 
that Dio,i and D\o j are permutation-equivalent. We have also verified that 
Dio,i and Diq j are not permutation-equivalent for (f,j) = (1,3), (1,4) and 
(4,6). However, our computer search shows that the codes Dio,i and Dio, 3 
are equivalent, and the codes Dio, 4 and Dio,e are equivalent. 



Table 2. Codes Dio.i and Dio , 4 



Code 


Me(5) me(5) Me(4) me(4) Me(3) m6(3) Mq{2) me(2) Me(l) me)!) 


Dio,i 
Dio , 4 


9 0 17 7 32 20 59 53 99 99 

10 0 17 7 32 20 59 53 99 99 


Code 


Ms(5) ms(5) Ms(4) mg(4) Mg(3) mg(3) Mg(2) mg(2) Mg(l) mg(l) 


Dio,i 
Dio , 4 


70 60 104 96 142 138 188 186 240 240 

70 62 104 96 142 138 188 186 240 240 



We now use the following method given in [7] to check the inequivalence of 
codes Dio,i and Dio, 4. Let C be a code of length 2n. Let Mt = (mij) be the 
At X 2n matrix with rows composed of the codewords of Hamming weight 
t in C, where At denotes the number of codewords of Hamming weight i 
in C. For an integer k (1 < k < 2n), let ■ ■ . Ok) be the number of r 

(1 < r < At) such that mrj^ ■ ■ ■ nirj^ 0 0 over Z for 1 < ji < ■ • • < jfe < 2n. 
We consider the set 



St{k) = {nt{ji, . . . , Jfc)| for any k distinct columns ji, • ■ • Ok}- 
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Let Mt{k) and mt{k) be the maximum and minimum numbers in St{k), 
respectively. The values of Mt{k) and mt{k) {t = 6,8, k = 1,...,5) for 
the two codes are listed in Table 2, and establish that I?io,i and Dio, 4 are 
inequivalent. 

Codes Dio,i and Dio, 4 have the following symmetrized weight enumerator: 

+ 15a® c'‘ + 60a®&'‘c + 30a'‘6® + 120a'‘6‘‘c^ + 15a'‘c® 

+120a®6®c+ 120a®6^c® + ISOa^b^c^ + + 120a&®c® 

+60a6^c® + 326^0 + 30&®c^ + c^°. 

The Gray map images </>(Dio,i) and </i(Dio,4) are both non-linear. We have 
determined via computer that the codewords of weight 6 in both codes form 
l-(20, 6, 27) designs. Moreover, Magma was used to show that the two 1- 
designs are non-isomorphic. Hence the two codes ^(Dio,i) and (/)(Dio,4) are 
inequivalent. Therefore we have the following: 

Proposition 2. There are exactly two inequivalent optimal double circulant 
codes of length 10 and minimum Lee weight 6. The binary Gray map images 
are also inequivalent. 

5 DCC-Optimal Double Circulant Codes 

By exhaustive search, we have found all distinct double circulant codes up to 
length 32. Table 3 lists some DCC-optimal codes of length 12. The coefficients of 
and a®6® are also given in the table. These coefficients show that the codes 
have distinct symmetrized weight enumerators, and so are inequivalent. 



Table 3. DCC-optimal double circulant codes of length 12 



Code 


First row 


Coeff. of 


Coeff. of 


Di2,1 


211100 


15 


12 


D\2,2 


121100 


15 


24 


Di2,3 


321100 


15 


40 


Di2,4 


221010 


6 


0 


Di2,5 


322010 


6 


28 


Di2,6 


211110 


6 


30 


Di2,7 


311110 


15 


48 


Di2,8 


121110 


6 


32 


Di2,9 


131110 


15 


64 


Di2,10 


222110 


6 


2 


Di2,11 


203210 


6 


40 


Di2,12 


321111 


15 


16 


Di2,13 


312111 


15 


0 




128 



T.A. Gulliver and M. Harada 



Table 4. DCC-optimal double circulant codes 



Code 


First row 


<1l 


Die 


32121100 


8 


Dis, 


121210000 


8 


D 20 


2321011000 


9 


D 22 


12312110000 


10 


D 24 


123312100000 


10 


D 26 


3100302220100 


10 


D 2 S 


21331312010000 


12 


D 30 


212313201000000 


12 


D 32 


2311221010000000 


12 



Table 4 gives DCC-optimal double circulant codes Dig, . . . , D 30 for lengths 
16, . . . , 32. These codes complete Table 1. We have determined that there are no 
optimal double circulant Z 4 -codes of lengths n = 12 and 16 < n < 32 (see also 
Table 1). Hence the classification of optimal double circulant codes up to length 
32 is complete. 
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Abstract. We define number-theoretic error-correcting codes based on algebraic 
number fields, thereby providing a generalization of Chinese Remainder Codes 
akin to the generalization of Reed-Solomon codes to Algebraic-geometric codes. 
Our construction is very similar to (and in fact less general than) the one given by 
Lenstra [8], but the parallel with the function field case is more apparent, since 
we only use the non-archimedean places for the encoding. We prove that over an 
alphabet size as small as 19, there even exist asymptotically good number field 
codes of the type we consider. This result is based on the existence of certain 
number fields that have an infinite class field tower in which some primes of small 
norm split completely. 



1 Introduction 

Algebraic Error-correcting Codes. For a finite field Fg, an [n, k, d]g-code C is a subset 
of F” of size such that if ci C 2 G C are two distinct codewords then they differ 
in at least d of the n positions. If C is actually a subspace of dimension k of the vector 
space F^ (over F^) then it is called a linear code. The parameters n, k, d are referred to 
as the blocklength, dimension, and minimum distance (or simply distance) of the code 
C. For non-linear codes, the “dimension” need not be an integer - we just use it to refer 
to the quantity log^ \C\. The rate of the code, denoted by R{C), is the quantity . 

A broad and very useful class of error-correcting codes are algebraic-geometric codes 
(henceforth AG-codes), where the message is interpreted as specifying an element of 
some “function field” and it is encoded by its evaluations at a certain fixed set of “points” 
on an underlying well-behaved algebraic curve. A simple example is the widely used class 
of Reed-Solomon codes where messages are low degree polynomials and the codewords 
correspond to evaluations of such a polynomial at a fixed set of points in a finite field. 
The distance of the code follows from the fact that a low-degree polynomial cannot have 
too many zeroes in any field, and this is generalized for the case of algebraic-geometric 
codes using the fact that any “regular function” on an algebraic curve cannot have more 
zeroes than poles. 

The class of algebraic-geometric codes are a broad class of very useful codes that 
include codes which beat the Gilbert- Varshamov bound for alphabet sizes q > 49 (see 
for example [ 1 7,2]). In addition to achieving such good performance, they possess a nice 
algebraic structure which has enabled design of efficient decoding algorithms to decode 
even in the presence of a large number of errors [14,5]. 

Motivation behind onr work. Another family of algebraic codes that have received 
some study are number-theoretic redundant residue codes called the “Chinese Remainder 
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codes” (henceforth called CRT codes). Here the messages are identified with integers 
with absolute value at most K (for some parameter K that governs the rate) and a message 
m is encoded by its residues modulo n primes pi <P 2 < • • • < Pn. If Tf = Pi-P 2 - • -Pk 
and n > k, this gives a redundant encoding of m and the resulting “code” (which is 
different from usual codes in that symbols in different codeword positions are over 
different alphabets) has distance n — k + 1. 

In light of the progress in decoding algorithms for Reed-Solomon and algebraic- 
geometric codes, there has also been progress on decoding CRT codes [3,1,6] in the 
presence of very high noise, and the performance of the best known algorithm matches 
the number of errors correctable for Reed-Solomon codes [5]. Since Reed-Solomon 
codes are a specific example of the more general family of AG-codes, it is natural to ask 
if CRT codes can also be realized as certain kind of AG-codes, and further whether there 
is a natural generalization of CRT codes akin to the generalization of Reed-Solomon 
codes to algebraic-geometric codes. It is this question which is addressed in this work. 

Our Results. For those familiar with the algebraic-geometric notion of schemes, it is 
not hard to see that the CRT code can be captured by a geometric framework using the 
idea of “one-dimensional schemes” and can thus be cast as a geometric code via an 
appropriately defined non-singular curve (namely Spec(Z) which is space of all prime 
ideals of Z) and viewing integers (which are the messages) as regular functions on that 
curve. More generally, using this idea we are able to define error-correcting codes based 
on any number field (a finite field extension of the field Q of rational numbers) - we call 
such codes number field codes (or NF-codes). 

We prove that over a large enough alphabet (GF(19) suffices), there in fact exist 
asymptotically good number field codes. A code family {Ci} of [rii, ki, di]q codes of 
increasing blocklength — >■ oo is called asymptotically good if lim inf ^ > 0 and 

liminf ^ > 0. Explicit constructions of asymptotically good codes is a central problem 
in coding theory and several constructions are known, the best ones (for large enough q) 
being certain families of algebraic-geometric codes. Our construction of asymptotically 
good number fields uses concepts from class field theory and in particular is based on the 
existence of certain number fields that have an infinite Hilbert class field tower in which 
several primes of small norm split completely all the way up the tower. Obtaining such 
a construction over as small an alphabet size as possible is one of the primary focuses 
of this paper. 

Comparison with [8]. It is our pleasure to acknowledge here that Lenstra [8] (see 
also the account in [15]) had long back already considered the construction of codes 
from algebraic number fields, and we are therefore by no means the first to consider 
this question. Unfortunately, we were unaware of his work when we came up with 
our constructions. The main point of difference between his constructions and ours is 
the following. In our constructions, messages are taken to be an appropriate subset of 
elements of the ring of integers in a number field and they are encoded by their residues 
modulo certain non-archimedean (also referred to as finite) places. This corresponds 
exactly to the “ideallic” view of codes (see [6]) since we have an underlying ring and 
messages are encoded by their residues modulo a few prime ideals. The construction in 
[8] is actually more general, and also allows archimedean (also referred to as infinite) 
places to be used for encoding. (We stress that it is not necessary to use the archimedean 
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places for the constructions in [8], but doing so enabled [8] to prove the existence of 
asymptotically good codes more easily.) 

The use of archimedean places as in [8] is extremely insightful and cute, and also 
makes it easier to get good code parameters. But, not using them maintains the parallel 
with the function field situation, and gives a base case of NF-code constructions which 
is most amenable to encoding/decoding, assuming algorithms for these will eventually 
be studied. 

Finally, the results in [8] are of an asymptotic fiavor, i.e. focus on what can be achieved 
in the limit for large alphabet size q, and do not imply asymptotically good codes exist 
for some reasonably small q. Also, no unconditional result (i.e. without assuming the 
Generalized Riemann Flypothesis (GRFl)) guaranteeing the existence of asymptotically 
good codes can be directly inferred from [8] if one modifies the constructions therein to 
include only codeword positions corresponding to the finite places. We are able to prove, 
using some results on the existence of infinite class field towers, that asymptotically good 
codes of the kind we construct exist for reasonable values of q (for example, g = 19 
suffices). 

2 Algebraic Codes: Construction Philosophy 

We now revisit, at a high level, the basic principle that underlies the construction of all 
algebraic error-correcting codes, including Reed-Solomon codes. Algebraic-geometric 
codes, and the Chinese Remainder code. A similar discussion can also be found in [6]. 

An algebraic error-correcting code is defined based on an underlying ring R (assume 
it is an integral domain) whose elements r come equipped with some notion of “size”, 
denoted size(r ) . For example, for Reed-Solomon codes, the ring is polynomial ring F[A] 
over a (large enough) finite field F, and the “size” of / G F[X] is simply its degree as a 
polynomial in X. Similarly, for the CRT code, the ring is Z, and the “size” is the usual 
absolute value. 

The messages of the code are the elements of the ring R whose size is at most a 
parameter A (this parameter governs the rate of the code). The encoding of a message 
m £ Ris given by 

m I— 7> Enc(m) = {mj Ii,ml I 2 , ■ ■ ■ , m/In) 

where Ij, I < j < n are n (distinct) prime ideals of R. (For instance, in the case of 
Reed-Solomon codes, we have R = F[X] and Ij = {X — aj) - the ideal generated by 
the polynomial {X — aj) - for 1 < j < n, where «i , . . . , a„ are distinct elements of 
F. This ideal-based view was also at the heart of the decoding algorithm for CRT codes 
presented in [6].) 

There are two properties of a code that of primary concern in its design, namely (a) 
its rate, and (b) its minimum distance. The rate property of the code constructed by the 
above scheme follows from an estimate of the number of elements m of R that have 
size(m) < A. The distance of the code follows by using further properties of the size(-) 
function which we mention informally below. 

1. For elements a,b £ R, size(a — b) is “small” whenever size(a) and size(6) are both 

“small”. 
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2. If / 0 belongs to “many” ideals among /i, / 2 , . . . , then size(/) cannot be 

“too small”. 

It is not difficult to see that, together these two properties imply that if mi ^ m 2 are 
distinct messages, then their encodings Enc(mi ) and Enc(m 2 ) cannot agree in too many 
places, and this gives the distance property of the code. 



3 Constructing Codes from Number Fields 

The previous section described how to construct codes from rings provided an appropriate 
notion of size can be defined on it. We now focus on the specific problem of constructing 
codes based on the ring of integers of number fields. 

An algebraic number field (or number field for short) is a finite (algebraic) extension 
of the field Q of rational numbers. Given some algebraic number field AT/Q of degree 
[AT : Q] = TO (i.e., AT = Q(a) where a satisfies an irreducible polynomial of degree to 
over Q), the code will comprise of a subset of elements from its ring of integers, denoted 
Ok- (Recall that the ring of integers of a number field K is the integral closure of Z 
in AT, i.e., it consists of elements of AT that satisfy some monic polynomial over Z.) It 
is well known that Ok is a Dedekind domain with several nice properties. For reasons 
of space, we refer the reader to any standard algebraic number theory text (for example 
[11,10]) for the necessary background on number fields. 



3.1 Norms of Ideals and Elements in a Ring of Integers 

“Norms” of Ideals: For every non-zero ideal / of a ring of integers R, R/I is finite. 
One can thus define a norm function on ideals as: 

Definition 1 [Norm of Ideals]: The norm of a non-zero ideal I C R, denoted ||/||, is 
defined as ||/|| = \R/ 1\- Note that for a prime ideal p, ||p|| = ifp lies above 

p G Z and f{p\p) is the inertia degree ofp overp. 

Definition 2 [Norm of Elements in OkV- The norm of an element x G R, also denoted 
||a;|| by abuse of notation, isdefinedas ||(a;)||, i.e., the norm of the ideal generated by x. 
(Define ||0|| = 0.) 

The following fact will be very useful for us later: 

Facts For a number field K, If x G I for some ideal I C Ok, then ||/|| divides ||a;||. 

3.2 Defining Size of an Element 

By Fact 3, it is tempting to define the size of an element / as size(/) = ||/|| . In fact, this 
satisfies one of the properties we required of size, namely that if to ^ 0 has small size, 
then it cannot belong to several ideals It. Unfortunately, the other property we would 
like our size function to satisfy, namely size(a — b) is “small” whenever size(a) and 
size(6) are both small, is not satisfied in general for all number fields by the definition 
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size(/) = ||/||.* We thus need a different notion of size of an element. To this end, 
we will appeal to the valuation-theoretic point of view of the theory of number fields. 
We refer the reader to the book by Neukirch [11] for an excellent exposition of the 
valuation-theoretic approach to algebraic number theory; we rapdily review the most 
basic definitions and facts about valuations. 

A valuation of a field AT is a function | | : AT — >• K with the properties:^ (i) |a:| > 0, 
and |x| = 0 -1=^ x = 0, (ii) \xy\ = |x| |y| , and (iii) There exists a constant c > 1 such 
that for all x,y £ K,\x + y\ < c • max{|a:|, |i/|} (“triangle inequality”).^ 

Two valuations | |i and | 1 2 on AT are said to be equivalent iff there exists a real 
number s > 0 such that \x\i = |x|| for all x £ K. A place of AT is an equivalence class 
of valuations of AT. Whenever we refer to a valuation from now on, we implicitly mean 
any member of its associated place. A valuation (place) | | is called non-archimedean 
(or ultrametric) if |n| stays bounded for all n G N. Otherwise it is called archimedean. 
Alternatively, a valuation | | is non-archimedean if and only if it satisfies the triangle 
inequality of Condition (3) above with c = 1, i.e., if \x + y\ < max{|a:|, |y|} for all 
x,y £ K. 

One can define a non-archimedean valuation of the fraction field of any domain R 
based on any non-zero prime ideal of R (the trivial valuation |a:| = 1 for all a; ^ 0 
corresponds to the zero ideal), similar to the valuation | |p defined on Q above. In fact 
the non-zero prime ideals of the ring of integers Ok of a number field AT correspond 
precisely to the non-archimedean places of AT, and are called the finite places of AT. In 
addition, the archimedean valuations of AT correspond to the infinite places of AT. The 
infinite places are important objects in the study of number fields and we review them 
next. 

Infinite places and a notion of “size”: Let AT/Q be a field extension of degree [AT : Q] = 
M. Then there are M distinct field homomorphisms (called embeddings) Ti : K ^ C 
of the field AT into C which leave Q fixed. Out of these let r of the embeddings be into 
the reals, say n , . . . , Ti- : AT — >• R, and let the remaining 2s = M — r embeddings be 
complex. We refer to this pair (r, s) as the signature of AT. These 2s embeddings come in 
s pairs of complex conjugate non-real embeddings, say crj,<7j : A" — >• C for 1 < j < s. 
The following fundamental result shows the correspondence between the archimedean 
valuations and the embeddings of AT into C. 

Fact 4 There are precisely (r + s) infinite places (which we denote by qi, q 2 , ■■■ , c|r-i-s 
throughout) of a number field AT that has signature (r, s) (with r -F 2s = [A' : Q]). The 
r infinite places qi, q 2 , . . . , corresponding to the r real embeddings t\, . . . ,Tr are 
given by the (archimedean) valuations |a;|q. |rj(a;)|/or 1 < f < r and the s infinite 

places qr+i, ■ • • j q^+s corresponding to the s pairs of complex conjugate embeddings 
CTj are given by \x\^^^. = \aj(x)\'^. □ 

We now come to our definition of the size of an element x in a number field AT. 

* For example, let K = Q(a) where a is a root of + Dx -1-1 = 0. Then one can easily see 
that ||a|| = 1 (for example using Proposition 6) and of course ||1|| = 1, but ||a — 1|| = D -F 2, 
and thus ||a: — 1 /|| can be arbitrarily larger than both ||a;|| and ||{/|| even for quadratic extensions. 

^ Several textbooks call a “valuation” with these properties as an absolute value. 

^ When this condition is met with any c < 2, then it is an easy exercise to show that in fact 
\x + y\ < |x| -F |y| for all a:, j/, which is the “familiar” triangle inequality. 
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Definition 5 [Size]: Let K be a number field with signature (r, s). Let Let \ |qj , | \q^, 
. . . , I be the archimedean valuations of x corresponding to the r real embeddings 
of K, and let \ , • • • , I Iq^+s Ihe archimedean valuations ofx corresponding to 

the s complex conjugate embeddings of K. The size of an element x € K is defined as 

r s 

size(a;) =*' + XI 

i=l i=l 

The following shows an important property of the above definition of size(-) (which was 
lacking in the attempted definition size(x) = ||x||): 

Lemma 1. Let K be a number field with signature (r,s) and let a,b G Ok- Then 
size(a — b) < size(a) + size(6). 

Proof: The proof follows from the definition of size(x) and the (easy to check) facts that 
\x—y\^ < |x|q + |y|q for the real infinite places q of iT, and a/ I X — y|q < \/|a^|q + \/|j/|q 
for the complex (infinite) places of K. □ 

The following central and important result (see any textbook, eg. [11], for a proof), 
relates the norm of an element (recall Definition 2) to its size, and is crucial for lower 
bounding the distance of the our codes. 

Proposition 6 For a number field K and for any element x G Ok in its ring of integers, 
we have 

Ikll = klqi • |a;|q2---|a;|q,, 

where qi, . . . , are the archimedean (infinite) places of K. 

Using the above, we get the following useful upper bound on ||a;|| in terms of size(a:). 
Lemma 2. For a number field K with [K : Q] = M and any x G Ok, we have 
Ikii < 

Proof: Let (r, s) be the signature of K. The claimed result follows using Equation (1), 
Proposition 6 and an application of the Arithmetic Mean-Geometric Mean inequality to 
the M numbers (|x|qi, . . . , |x|q,,, a/N^, \/|a;L+i, • • • , \/|a;L+,, a/N^)- The 
arithmetic mean of these numbers equals and their geometric mean equals 1 1 x 1 1 . 

□ 

Corollary 7 Let K be a number field of degree [AT : Q] = M. If a, b G Ok nre such 
thats\ze{a) < B and s\ze(b) < B, then ||a — 6|| < ( ^ J . 

Proof: By Lemma 1 , we have size(a —b)< 2B, and using Lemma 2, we get || a — 6|| < 

(^)". 

3.3 The Code Construction 

For the rest of this section, let AT be a number field of degree [AT : Q] = M and signature 
(r, s). A number field code (NF-code for short) C = Ck, based on a number field AT, has 
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parameters (n,pi,p2, • • • ,P«; B) where n is the blocklengthofthe code, pi, p2, ■ • ■ ,P« 
are distinct (non-zero) prime ideals of Ok, and B is a positive real. The position of 
the code C is defined over an alphabet of size ||pi|| for 1 < i < n; let us assume w.l.o.g 
that llpill < IIP 2 II < ••• < ||p„||. 

We are now almost in a position to define our code C = Ck, but for a technical reason 
that will become clear in Section 3.5, we will need to define the code with one extra 
“shiff’ parameter z G R’’ x C^. Given such a z = (zi, Z 2 , ■ • • , Zr+s) with Zj G R for 
1 < i < randzj G Cforr < j < r-Fs, the z-shifted size sizez(x) ofcc G Ok is defined 
as follows. Let ti , . . . , be the embeddings iC — >■ R, and let aj,! < j < s, be the non- 
conjugate complex embeddings if — >■ C. Fori = 1, 2, ..., r, define = |ri(a:) — zi|, 
and for 1 > J < s, define = \<Jj{x) — Zr+j\^. (Thus the archimedean valuations 
are just “shifted” with respect to z.) Now define 

sizez (x) = ^ -F ^ 2 sjlif (2) 

i=i j=i 

Lemma 3. Let K be a number field of signature (r, s), with [if : Q] = r -F 2s = M, 
and z G R*^ X If a, b G Ok arc such that sizez(a) < B and sizez(6) < B, then 

, X M 

l|a-6||<(^) . 

Proof: One can show, similarly to Lemma 1, that if size^ja) < B and size^jh) < B, 
then size(a — b) < 2B. The proof then follows using Lemma 2. □ 

We now formally specify our code construction with the “shift parameter” added in. 

Definition 8 The code C = Ck based on a number field if with parameters 

(n, pi,p 2 , . . . ,pn', B] z) is defined as follows. The message set of C is {m G Ok '■ 

sizez(m) < B}. The encoding function is Et\cc{m) = (m/pi, m/p 2 , . • . , m/p„). 



3.4 Distance of the Code 

We now estimate the distance of the code. If Encc(mi) and Encc(m 2 ) agree inf places, 
say 1 < ii < i 2 < • • • < it < n, then mi — m 2 G pti • • • pit. By Fact 3 and the 
ordering of the pi’s in increasing order of norm, we get ||toi — m 2 || > nLi llp*ll- On 
the other hand, by Lemma 3, we have ||toi — TO 2 II < (25/71^)-^. Thus if Hi=i llpill > 
{2B/M)^ , then we must have mi = m 2 , and thus two distinct codewords can agree in 
at most (f — 1) places. We have thus shown the following: 

Lemma 4. Fora number field code C = Ck based on afield if with [if : Q] = ili with 
parameters (n, pi, \> 2 , ■■■ ,pn', B] 2 ,), if t (1 < t < n) is such that \\pi\\ x IIP2II---X 
llptll > {2B/M)^ , then the distance d{C) ofC is at least (n — f -F 1). In particular, 

Mlog (2B/M) 
log llpill 



d{C) > n 
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3.5 The Rate of the Code 



To estimate the rate of the code we need a lower bound (or good estimate) of the number 
of elements x of Ok with siz6z(a;) < B. The key quantity in such a lower bound is the 
discriminant of a number field. 

Given a number field K of degree M with M embeddings , . . . , Cm : .ff — >■ C, the 
discriminant of any M-tuple of elements «i, . . . , um G K, denoted disc(o;i, . . . , «m), 
is defined as the square of the determinant of the M x M matrix having Q (aj ) as its 
{i,jY^ entry. disc(ai, . . . , «m) G Q and if at G Ok, then disc(ai, . . . , «m) G Z. 

The discriminant of K, denoted Dk, is defined as disc(/3i, . . . ,(3m) where f3i, 

. . . , (3m is any integral basis of Ok over Z (it can be shown to be independent of 
the choice of the basis). Lastly, the root discriminant of K, denoted rd^, is defined as 
\Dk\^'^. 

The following proposition gives a lower bound on the number of elements of bounded 
size in the ring of integers of a number field. It uses the geometry of the Minkowski lattice 
and is based on an averaging argument similar to the one used by Lenstra [8]. 



Proposition 9 ([8]) For any number field K with signature (r, s) and discriminant Dk, 
and any B G M_|., there exists a z G K.’’ x C^, such that 



{x G Ok '■ siz6z (x) < B} 



2r^s qM 

- ■ 



( 3 ) 



The following proposition records the quantitative parameters (rate and distance) of the 
NF-code construction we gave in Section 3.3. (All logarithms are to the base 2.) 

Proposition 10 Let K be a number field of degree [K : Q] = M and signature (r, s). 
Let C = Ck be a number field code defined with parameters (ji,pi,p 2 , ■ ■ ■ , pn', B] z) 
with IIpiII ^ ^ l|pn||- Then there exists a choice of the '‘shift'' z for which the 

rate R{C) ofC is at least y • ( log — log M! — log and the 

M\og(2B/M) 

distance d[C) ofC is greater than n yp^y — In particular we have 

^ (’^-c^(<3))log||pi|| +slog(7r/4) + Mloge-MlogVrd^-log3M 

nlog||p„|| 

Proof: The proof follows easily from Lemma 4 and Proposition 9, and using Stirling’s 
approximation that M! ~ for all M > 1. □ 



4 Constructing an Asymptotically Good Code 

By Proposition 10, in order to have good rate, one would like to define codes based on 
number fields K with small root discriminant rd^. In addition, in order to define a code 
of blocklength n over a alphabet of size q, we need Ok to have n prime ideals of norm 
at most q. In particular, if one hopes to construct a family of asymptotically good codes 
over an alphabet of size q based on this approach, then one needs a family of number 
fields {Kn} such that (a) has small root discriminant (the best one can hope for is 
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of the form c for some constant c by existing lower bounds on the discriminant, see the 
survey [12]), and (b) it has : Q]) prime ideals of norm utmost q. Constructions of 

sequences of number fields with bounded root discriminant are obtained in the literature 
using the existence of infinite Hilbert class field towers. For our application we will need 
such towers with the added restriction that certain primes of small norm split completely 
all the way up the tower. We next review the main definition from class field theory that 
will be necessary for our number field constructions. 

4.1 Class Fields with Splitting Conditions: Definitions 

We will quickly review the basic notation: a finite extension K/k of number fields is 
(i) unramified if no place (including the infinite ones: i.e. real places stay real) of k is 
ramified in K (this implies disc(iC/fc) = (1)); (ii) abelian if K/k is Galois with abelian 
Galois group; (iii) a p-extension if iC/fc is Galois with [K : k] a. power of p. 

Definition 11 [T-decomposing p-Class Field]: For any number field k and a set of 

primes T (of Ok), the maximal unramified abelian p-extension ofk in which every prime 
in T splits completely, denoted kp, is called the T-decomposing p-class field ofk. 

Definition 12 [T-decomposing p-Class Field Tower]: For any number field k and a 
set of primes T, the T-decomposing p-class field tower of k is obtained by repeatedly 
taking T-decomposing p-class fields: It is the sequence of fields ko = k, k\ = kp and 

for i > 2, ki = where Ti is the set of primes in ki lying above T. We say 

that k has an infinite T -decomposing p-class field tower if this tower does not terminate 
for any finite i. 

4.2 The Constrnction Approach 

The basic approach behind constructing number fields K with infinite class field towers 
is the Golod-Safarevic theory [4] (cf [13]). For our purposes, it suffices to use the 
following result which gives a specific sufficient condition for quadratic extensions to 
have infinite 2-class field towers with certain added splitting constraints. This result 
appears as Corollary 6.2 in [16] and is proved using techniques which also appear in 
related works like [9,7]. 

Proposition 13 ([16]) Let P = {pi, . . . ,ps} and Q = {qi, . . . , qr} be disjoint sets of 
primes. Consider a imaginary quadratic extension K/Q that is ramified exactly at those 
primes in Q. Let T be the set of primes ideals of Ok that lie above the primes in P, and 
let |T| = t. Suppose further that 

T ^3-Ff — S“F 2s/ 2 . (4) 

Then K has an infinite T-decomposing 2-class field tower. 

The above is a very useful proposition and we believe plugging in specific values into it 
will lead to many asymptotically good number field code constructions. In the next two 
subsections, our aim is to present concrete examples of code constructions based on the 
above proposition and we therefore focus on a specific setting of parameters which will 
lead to an asymptotically good code over a reasonably small alphabet. 
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4.3 Specific Constructions 

We now apply Proposition 13 to get a specific construction of a number field with an 
infinite 2-class field tower. 

Lemma 5. Let d = 3 • 5 • 7 • 11 • 13 • 17 • 19 = 4849845, and let K = Q(V— d). Then: 

(i) rdK = V4d ~ 4404.4727 

(ii) Ok hos a set T of two prime ideals of norm 29. 

(Hi) K has an infinite T -decomposing 2-class field tower. 

Proof: The first two parts follow from standard properties of imaginary quadratic ex- 
tensions (cf [10]). To prove Part (iii), we apply Proposition 13 to Tf/Q with Q = 
{2, 3, 5, 7, 11, 13, 17, 19} and P = {29}. The prime 29 splits into a set T of two primes 
in iT/Q, we thus have r = 8, s = 1 and f = 2 in Proposition 13. Since these values 
satisfy Condition (4), we conclude that K has an infinite T-decomposing 2-class field 
tower. □ 



4.4 Obtaining an Asymptotically Good Number Field Code 



Let Kq = at be the number field from the previous section. Let Kq c ifi C K 2 C • • • 
be the (infinite) T-decomposing 2-class field tower of Kq. We construct a family of 
codes Cn based on the number fields below. 

Fix an n and let : Q] = M (note that M will be a power of 2 but this will not 
be important for us). Since is totally complex, the signature of is (0, M/2). By 
Lemma 5, the prime 29 splits completely in the extension Kn/Q, and thus Ok„ has M 
prime ideals, say pi, p 2 , • • • , Pm, each of norm 29. 

Now consider the code C„ (defined as in Section 3.3) based on iT„ with parameters 
(M, Pi,...,Pm; B; z) where B = cqM for some some constant cq > 0 to be specified 
later, and z G is a “shift parameter” as guaranteed by Proposition 9. Now let us 

analyze the parameters of this code family |C„}„>o. Define the designed distance of 
the code C„ to be 



d'{Cn) =M- 



Mlog(2co) 
log 29 



( 5 ) 



Then, by Proposition 10, the distance of the code d(C„) is at least d'(C„), and the rate 
of the code i?(C„) is greater than 






log29 7T ^ 



log 3M \ 
log 29 ) ■ 



( 6 ) 



Combining Equations (5) and (6) above and using rd/f„ = rd^ = 4404.4727, we 
obtain, in the limit of large M ^ 00 , 



R{Cn) > 1 - 



d'(C„) 

M 



0.015- 



log 29 



M 



( 7 ) 



Thus if < 0.015, we can get asymptotically good codes. By Equation (5) this 
will be the case if Co > 29°®®^/2,orifco > 13.79. Also wemusthaveco < 29/2 = 14.5 
in order to have d'(C„)/M > 0. By varying cq in this range (13.79 < cq < 14.5), we can 
achieve asymptotically good codes over an alphabet of size 29 for any value of relative 
distance 6 in the range 0 < 6 < 0.015. We have thus proved the following: 
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Theorem 14. There exist asymptotically good families of number field codes. In partic- 
ular, such codes exist over GF(29). □ 

4.5 Asymptotically Good Codes Over a Smaller Alphabet 

We now present a different construction that achieves even smaller alphabet size. The 
codes are defined by using prime ideals of different norms (since NF-codes are anyway 
non-linear, this presents no problems). We sketch this construction below. The proof of 
the following lemma is similar to that of Lemma 5. 

Lemma 6. Let d' = 3 • 5 • 7 • 11 • 13 • 23 • 29 • 37 • 41, and let K' = Q(\/^). Then: 

(i) rdK' = Vid' ~ 246515.72 

(ii) Ok' has a set T' of four prime ideals, two of which lie above 17 (and have norm 
17) and two of which lie above 19 (and have norm 19). 

(Hi) K' has an infinite T' -decomposing 2-class field tower. 

One can now construct a family of codes from the infinite T' -decomposing 2-class 
field tower Kq = K' C. K[ C K '2 C ... of K' , similar to the construction in Section 
4.4. The code based on will have parameters {N,pi, . . . , pM, qi, • • ■ , Pm', B; z). 
Here the pds (resp. qi’s) are the M primes in K'^ that lie above the prime integer 17 
(resp. 19), N = 2M is the blocklength of the code, B = CqM for some some constant 
Cq > 0, and z g is an appropriate “shift parameter”. Now using Proposition 10 

and arguments similar to those in Section 4.4, we obtain in the limit of large M — >■ 00 , 

l log(fy^) log 17/ d(c;) log 14.5 X 

^ - V W / log 19 2 log 19 log 19 V N log 17 / ' 

( 8 ) 

Thus we can get asymptotically good codes for any value of relative minimum distance 
that is at most (1— — 0.056. We therefore conclude the following strengthening 

of Theorem 14. 

Theorem 15. There exist asymptotically good number field codes over an alphabet of 
size 19. □ 



5 Concluding Remarks 

We conclude with some specific questions: Can one prove unconditionally, without 
assuming the GRH, that there exist codes that beat the Gilbert- Varshamov bound for a 
not too large alphabet size? If so, what is the smallest alphabet size one can achieve for 
such a result, and what is the best asymptotic performance one can achieve in the limit 
of large (but constant) alphabet size? 
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Abstract. In this paper, we introduce the generalized Hamming weights 
with respect to rank (GHWR), from a module theoretical point of view, 
for linear codes over hnite chain rings. We consider some basic properties 
of GHWR. 



1 Introduction 

For an [n, k] code C over a finite field Fg and 1 < r < k, the rth generalized 
Hamming weight (GHW) dr{C) of C is defined by Wei ([10]) as follows: 

dr{C) := min{|Supp(U)| : ZJ is a [n,r] subcode of C}, 

where Supp(ZJ) :=Ua;g Dsupp(a;) and supp(x) := {i \ Xi^O} for x={xi , . . . , Xn) G 
Fg. A lot of papers dealing with GHW for codes over finite fields have been 
published (see [9] etc.). 

On the other hand, in the last few years, linear codes over finite rings have 
been in the focus of the coding research (see [3], [5], [6], [7] and [11], etc.). In 
particular, Ashikhmin, Yang, Helleseth et al. ([1], [12], [13] and [4]) introduced 
the rth generalized Hamming weight with respect to order (GHWO) dr{C) for a 
linear code C of length n over ^4 and 1 < r < log4 IC] as follows: 

dr{C) := min{jSupp(U)j : U is a submodule of C with log4 |ZJ| = r}. 

And they exactly determined dr{C) of Preparata, Kerdock, Goethals codes et 
al. over Z 4 for some r. 

In this paper, we shall introduce a concept of rank for linear codes over finite 
chain rings and consider some fundamental properties of a generalized Hamming 
weight with respect to rank for these codes. 

In this paper, all rings are assumed to be finite and associative with 1 0. 

In any module, 1 is assumed to act as the identity. 

* Research Fellow of the Japan Society for the Promotion of Science. 
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2 Codes over Finite Chain Rings 

A finite ring R with Jacobson radical J{R) 0 is called a chain ring if the prin- 
cipal left ideals of R form a chain (see [8] and [5]). We remark that a finite chain 
ring R can be viewed as a local ring with J{R) = R6 for any 9 G J{R)\J{R)^. 
For example, the ring 2Z jq2Z of integers module q, where g is a prime power, the 
Galois ring GR{q,m) of characteristic q with g™ elements and F 2 -I-UF 2 = 0) 
are chain rings. On the other hand, Z/kZ, where k is not a prime power, and 
F 2 -l-fF 2 = v) are not chain rings. Let m be the index of nilpotency of J{R) 
and let R* be the group of units of R. In addition, since i? is a local ring, we 
denote by a prime power q the cardinality of the finite field R/J{R), that is, 
R/J{R) = Fq and |i?| = g™. Let i?" be the free i?-module of rank n consisting 
of all n-tuples of elements of R. With respect to component-wise addition and 
right/left multiplication, i?" has the structure of an (i?, i?)-bimodule. A right 
(resp., left) linear code C of length n over i? is a right (resp., left) i?-submodule 
of i?". If G is a free i?-submodule of i?", then we shall call C a free code. For a 
right (left) linear code C over R, we define the rank of G, denoted by rank(G), as 
the minimum number of generators of G and define the free rank of G, denoted 
by frank(G), as the maximum rank of the free i?-submodules of G. In this case, 
C is isomorphic, as an i?-module, to a direct sum: 

m— 1 

G^ 0(i?/A6»™-*)'=% 

i=0 

where R9^ := {r0* \ r G R} = {x G R \ = 0}, for each i G {0,1,..., m— I}. 

We note that rank(G) = frank(G) = fco, and define the type of G, 

denoted by type(G), as the sequence (fco> • j ^m-i)- 

For an i?-module M, the socle of M, that is, the sum of all simple submodules 
of M, is denoted by Soc(M). For a right (resp., left) linear code G over R, we 
note that 



Soc(G) = {xgC\x9 = 0} 

(resp., Soc(G) = {x G C \ 9x = 0}). 

For a right (left) linear code G over R, we define /(G) as a minimal free 
i?-submodule of /?" which contains G and define F{C) as a maximal free R- 
submodule of G. If G is a right (resp., left) linear code of length n over R, then 
/(G) is a right (resp., left) free code of length n with rank(/(G)) = rank(G) and 
F{C) is a right (resp., left) free code of length n with rank(F'(G)) = frank(G) 
(cf. [7]). 

For a vector x = (a;i, . . . , Xn) G i?", the support of x is defined by 
supp(a?) := {i\ Xiy^ 0} 

and the Hamming weight wt(a;) of x is defined to be the order of the support of 
X. The minimum Hamming weight of a linear code G of length n over R is 



d{C) := min|wt(a;) | (0 ^)x G G}. 
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If Soc(i?) = R/J{R) as right i?-modules and as left i?- modules, then R is 
called as a Frobenius ring ([8], [7] and [11]). Since a chain ring i? is a Frobenius 
ring, we have an i?-isomorphism <j) : Soc(i?) = R/J{R). In this case, </> induces 
the following i?-isomorphism: 

(/)” : Soc(i?)” ^ {R/J{R)Y 

: £C = (xi, . . . , X„) H> ^”(£c) = (</»(xi), . . . , 4>{Xn)), 

(cf. [8] and [7]). We have the following proposition. 

Proposition 2.1 ([7]). If C is a right {left) linear code of length n over R, then 
</>”(Soc(C')) is a linear [n, rank(C'), d(C')] code over the finite field R/J{R). 

For two vectors x = (xi, . . . , x„) G i?" and y = {yi, . . . , yn) G i?", we define 
the inner product 

(x,y) := xiyi H h x„j/„. 

For a subset C C i?", we define the right dual code C-^ and the left dual code 
-^C of C as follows: 

C-^ ■= {y G i?” I {x,y) = 0,Vx G C} 

-^C := {y G i?” I {y,x) = 0,Vx G C}. 

If C is a right (resp., left) linear code of length n over R, then 

rank(C) + frank(‘'‘C') = n 
(resp., rank(C) + frank(C''*“) = n) 

and (■'■C')-*- = C (resp., "'■(C'-*-) = C) (cf. [5] and [7]). 

A generator matrix of a right (resp., left) linear code C of length n over R 
is a rank(C) x n matrix over R whose rows form a minimal set of generators of 
C. Similarly, a parity check matrix of C is an n x (n — frank(C)) matrix over R 
whose columns form a minimal set of generators of ■’■(7 (resp., C'^). 

In the remaining part of this paper, we shall concentrate on right linear codes 
because all results and proofs for left linear codes always go through as well as 
those for right linear codes. 

3 Generalized Hamming Weights 

For a subset C C i?”, we define the support of C by 

Supp(C) := IJ supp(x). 
x^C 

Evidently we note that if Ci and C 2 are subsets of i?" such that C\ C 2 , then 
|Supp(Ci)| < |Supp(C 2 )|. 

Definition 3.1. For a right linear code C of length n over R and 1 < x < 
rank(C), the rth generalized Hamming weight with respect to rank (GHWR) of 
C is defined by 

dr{C) := min{|Supp(D)| : D is an i?-submodule of C with rank(£>) = r}. 
The weight hierarchy of C is the set of integers {dr{C) : 1 < r < rank(C)} 
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Example 3.2. Let C be a linear code over 2Zi^ with generator matrix 

/I 0 0 1 1 2 3\ 

G= 0202220 . 

\0 022022 / 

Then di{C) = 4,d2{C) = 6 and d 3 {C) = 7. 

The following lemma is essential. 

Lemma 3.3. If C is a right (left) linear code of length n over R, then 

Soc(G) = Soc(/(G)). 

Proof. Evidently, Soc(C') C Soc(/(G)). From Proposition 2.1, both of them have 
the same order. The lemma follows. □ 

The following result is a generalization of Proposition 2.1 with respect to 
GHWR. 

Theorem 3.4. Let C he a right linear code C of length n over R. Then 
dr(C) = dr{Soc{C)) = dr{I{C)), 
for any r, 1 < r < rank(G). 

Proof. For any r, 1 < r < rank(C'), let Dr be a i?-submodule of C with 
rank(Ur) = r and |Supp(T>r)| = dr{C). Since Soc{Dr) is also an i?-submodule 
of Dr and C, and rank(Soc(Ur)) = r, we have 

dr{C) < |Supp(Soc(£i,.))| < |Supp(£ir)| = dr{C). 

By Lemma 3.3, the second equality in the theorem follows from the first one. 

□ 



Remark 3.5. The above theorem also claims that all free i?-submodules of i?" 
which contain C and have the same rank as C have the same weight hierarchy 
as C. 



Example 3. 6. Let Vm be the Preparata code of length 2™ over ^4 with parity 
check matrix 



H = 



fill 1 ■■■ 1 

1^0 1 / 3 / 32 .../ 32"‘-2 



where /3 is a unit of order 2™ — 1 in the Galois ring GR{4, m) of characteristic 4 
with 4™ elements (cf. [3], [13], etc.). Then it is well-known that (ff'"' {Soc{Vm)) is 
the extended binary Hamming code Tirn ([3]). And the weight hierarchy of TLrn 
is found in [10]. Thus we have the following: 



{dr{Vm)- l<r<2™-m-l} 

= {dr{'Hm)- l<r<2’”-m-l} 

= {2, 3, . . . , 2™}\{2^ -k 1 : 0 < s < m - 1}. 
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Using the above theorem, we have the following results from Theorem 1 and 
Corollary 1 in [10]. 

Corollary 3.7. For a right linear code C of length n over R with rank(C') = 

fc > 0, 

1 < di{C) < d 2 {C) < ■ ■ ■ < dk{C) < n. 

Corollary 3.8. For a right linear code C of length n over R and any r, 1 < 
r < rank(C), 

dr{C) < n — rank(C) + r. 

If C meets the above bound, i.e., dr{C) = n — rank(C) + r, then C is called 
an rth MDS code over R. In [2] and [7], the first MDS codes over the finite rings 
(simply called MDR or MDS codes in these papers) are studied. In particular, 
the code considered in Example 3.2 is a second MDS code and so is a third MDS 
code over 

For a right linear code C of length n and M C N := {1, 2, . . . , n}, we set 
RJ^{M) := {£C G i?" I supp(£c) C M} 

C{M) :=Cn RJ^{M) = {x&C\ supp(a:) C M}. 

Clearly, R"{M) is a free i?-module of rank |M| and C{M) is also a right linear 
code of length n over R. And for right linear codes C and D over R and a linear 
map tp : C ^ D, we define 

C* := Homij(C,i?) 
f)* ■. D* ^ C* 

: g^ gf). 

Moreover, there is the following isomorphism as left i?-modules: 

f :R'^ ^ {R^y 

■ X if{x) : y {x,y)). 

Then the following proposition is essential. 

Proposition 3.9 ([6]). Let C he a right linear code of length n over R. Then 
the sequence 

0 ^ ^C{N - M) i?”(7V -M)^C* ^ C{M)* 0 

is exact as left R-modules for any M C N, where the maps inc, res denote the 
inclusion map, the restriction map, respectively. 

In [6], they proved the Singleton type bound for codes over finite quasi- 
Frobenius rings by using this proposition. In this paper, we prove a duality for 
GHWR of codes over finite chain rings using this proposition. 

Lemma 3.10. Let C he a right linear code of length n over R. Then 
dr{C) = min{|M| : rank(C(M)) > r, M C N}, 
for all r, 1 < r < rank(C). 




146 



H. Horimoto and K. Shiromoto 



Proof. For any i?-submodule D of C, we note that 

|Supp(D)| = min{|M| : DCC{M), M C N}. 

The lemma follows from the above equality, immediately. □ 

Lemma 3.11. Let A, B, C and V be left R-modules and assume that the se- 
quence 

o-^a^bAc^v^o 

is exact as left R-modules. Then we have an isomorphism: 

{B/a{A))* 

Moreover if B and C are free, then 

rank(.4) + rank(C) = rank(,B) + rank(21). (1) 

Proof. By the assumption we have the short exact sequence : 

0 ^ B/a{A) AcAv^O 

where [3 : b-\-a{A) i-l P{b). From the injectivity of rR, we have the dual sequence 
0^V*Ac*A {B/a{A)y 0. 

Thus we have the following isomorphism: 

{B/a{A)Y 

We suppose that B and C are free. Since i? is a chain ring, the types of quotient 
modules Bja{A) and C* A*{V*) only depend on the types of their submodules 
a{A) and respectively. Therefore we have the equation (1). □ 

A duality for GHW of codes over finite fields is proved in [10] and similarly, 
a duality for GHWO of codes over Galois rings is proved in [1]. As in these case, 
we have a similar duality relation for GHWR of codes over finite chain rings as 
follows: 

Theorem 3.12. Let C be a right linear code of length n over R with rank(C) = 
k. Then 

{dr{C) : 1 < r < fc} = {1, 2, . . . , n}\{n + 1 — dr{FAC)) : I <r <n — k}. 

Proof. Since ■'■/(C') is a left free i?-submodule of '*■(7 and rank(-*- J(C)) =n—k = 
frank(-'-C'), we can take FAC) = ■'■/(C). Gonversely, if we take any F^C), 
then we can take I{C) such that /(C) = F^C)'^. It is sufficient to prove 
dr{C) yf n + 1 — dr'(FAC)) for any 1 < r < fc and 1 < r' < n — fc. 

For any r, I < r < n — k, we set t = k-\-r — dr{FAC)). First, we prove that 
dt{C) < n + 1 — dr{FAC)). From Lemma 3.10, let M be a subset of N with 
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|A^ — M\ = dr{F{-^C)) and rank(_F(-*-C)(-/V — M)) > r. Combining Proposition 
3.9 for I{C) with Lemma 3.11, we have 

rank(/(C')(M)) = rank(/(C)) + rank(F(-LC)(lV - M)) - rank(i?"(Ai - M)) 
>k + r-dr{F{^C)). 

From Lemma 3.10, the following inequality follows: 

dt{C) = dt{I{C)) <\M\ = n- dr{F{^C)) < n + 1 - dr{F{^C)). 

By using Corollary 3.7, so we have 

di{C) <■■■ <dt-i{C) <dt{C) <n+l-dr{F{^C)). 

Next, we show that dt+A{C) yf n+1 — dr{F{-^C)) for any Z\ > 1. We assume 
that dt+A{C) = n + 1 — dr{F{-^C)) for some ^ > 1. Let M be a subset of N 
with \M\ = dt+A{I{C)) and rank( J(C')(M)) > t+A. Then we have the following 
equation by using Proposition 3.9 for I{C) and Lemma 3.11: 

rank(F(-LC)(A^ - M)) = rank(/(C)(M)) + |fV - M| - rank(/(C)) 

> {t + A) + {n - dt+A{I{C))) - k 
= r + A — 1 

From Lemma 3.10, the following inequality follows: 

ds{F{^C)) <\N-M\=n- dt+A{I{C)) = - 1, 

where s = r + Z\ — 1, contradicting Corollary 3.7. We complete the proof. □ 

Example 3.13. Let C be the linear code defined in Example 3.2. Then the dual 
code C*-*- has a generator matrix (cf. [3]): 

/3 1 1 1 0 0 0\ 

3100100 

_L _ 2 110 0 10 

^ ~ 1010001 ■ 

0200000 
\0 020000/ 

So F{C'^) is a linear code having a generator matrix: 

/3 1 1 1 0 0 0\ 

_L _ 3 10 0 10 0 

~ 2 110 0 10 ■ 

\1 0 1 0 0 0 1/ 

By calculating, we have {dr{F{C-^)) : r = 1,2, 3, 4} 
r= 1,2,3}U{8-4(F(C^)) : r = 1, 2, 3, 4} = {1, 2, 

Though we have many possibilities of taking F{C) for a right linear code C, 
the following result follows from the above theorem. 



= {3, 5, 6, 7} and K(C) : 

...,7}. 
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Corollary 3.14. If C is a right linear code of length n over R with frank(C) = 
ko, then all right free R-submodules of C with rank ko have the same weight 
hierarchy determined by that of^C. 

Now we introduce a weight for a vector in i?” which is a generalization of 
the Lee weight for a vector in 2Z\. For an element (0 ff) x G i?, we define the 
socle weight s{x) of (0 ^)x G R as follows: 



s{x) 



q — 1 {x ^ Soc(i?)) 
q (x € Soc(R)) ’ 



and set s(0) = 0. For example, if R — TZ^r = {0,1,2,..., 26}, then s(x) = 2 for 
X ^ 0, 9, 18 and s(x) = 3 for x = 9, 18. For a vector x = (xi , . . . , x„) G i?", the 
socle weight ws{x) of x is defined by 



ws{x) := ^s(xj). 
i=i 



For a right linear code C of length n over R, the minimum socle weight ds{C) 
of C is defined as follows: 



ds{C) := min|r(;s(x) | (0 yf) x G C|. 



Lemma 3.15. Let C be a right linear code of length n and of rank k over R 
and let A be the \C\ x n array of all codewords in C. Then each column of A 
corresponds to the following case: the column contains all elements of R9^ equally 
often for some i G (0, 1, . . . , m — 1}. 

Proof. Let G be a generator matrix of G. Without loss of generality, we may 
assume that all elements of the first column of A are in R9^. We shall prove the 
lemma by induction on k. 

First we prove the case k = 1. We set G = (xi, X 2 , . . . , x„) = (x). Since i? is a 
chain ring, the ideal generated by |xi, . . . , x„| is of the form R9^ , j < i. Then G 
is isomorphic to R/R9'^~^ and each row vector of A is of the form + 
r + R9'^~^ G R/R9"^~T Now we consider linear maps pi : R ^ R [r xir] and 
Pi : R/R9™~^ — >■ R[r+R9™~^ i— xir]. Since the map pi is a homomorphism, the 
number of times each element xir' occurs in the first column of A corresponds 
to the order |r + ker pi\. Therefore each element of occurs in the 

Ikerpil = \R9”^-yR9^-^ 

times equally often in the first column of A. 

Next we suppose that the lemma holds in the case rank(G) = k — 1. Assume 
that G has a form: 

Xii Xi2 ‘ ‘ ‘ ^In 
^21 ^2n 

G= . 



^kl ^kn 
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where 0 C xnR C X 21 R C ••• C XkiR Q R- From the assumption, the first 
column of the \C'\ x n array A' of all codewords of C', where C is the linear 
code over R having a generator matrix G' , contains all elements of R9^ equally 
often. So the first column of y + A' contains all elements of R 6 ^ equally often 
for all y G XiR. Since the array A has the form: 

' yi + A' - 

2/2 + A' 



where {y{\i = X\R, the first column of A contains all elements of R 6 '^ equally 
often. □ 

Then we have the following theorem. A similar result for Lee weights of codes 
over Z 4 can be found in [12] and corresponds to the special case R = 2 Z 4 in 
the following result. 

Theorem 3.16. Let C he a right linear code of length n over R. Then we have 
|Supp(C')| = 

Proof. For each i G {0, 1, . . . , m — 1}, let Ui be the number of columns of A in 
which each element of occurs equally often. Then “ |Supp(C)|. 

Therefore we have 

^u;s(a^) = no|q/|i?|{((?-l) x (|i?| - |Soc(i?)|) + g x (|Soc(i?)| - 1)} 

x^C 

+ni|C|/|i?0|{((7- 1) X (|i?0|-|Soc(i?)|) + gx (|Soc(i?)|-l)} + --- 
+n,a-i\C\/\R9^-^\{q X (|Soc(i?)| - 1)} 

= |C|{no/g™((g-l)(g™ - g) + (/(g-l)) + -q) 

+q{q - 1)) H h nm-ilq x q{q - 1)} 

= \C\{q - l)(no + ni H h n^-i) 

= ICK?- l)|Supp(C')|. □ 



Corollary 3.17. If C is a right linear code of length n over R, then the rth 
GHWR of C, 1 < r < rank(C), satisfies 



dr{G) > 



- {q--l)ds{Gy 

q^q-y 



where [a] denotes the smallest integer greater than or equal to a. 



Proof. By Proposition 3.4, we can take an i?-submodule Dr of Soc(C) with 
dr{G) = |Supp(Dr)| and rank(T>r) = r. Since Dr is an [n,r] code over R/J{R), 
we have \Dr\ = <?’' From Theorem 3.16, we have 

□ 
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Abstract. Several efficient error-correcting codes are ideals in certain 
ring constructions. We consider two-sided ideals in structural matrix 
rings defined in terms of directed graphs with the set of vertices corre- 
sponding to rows and columns, and with edges corresponding to nonzero 
entries in matrices of the ring. Formulas for Hamming weights of all 
ideals in structural matrix rings are found and sharp upper bounds for 
information rates of these ideals are given. 



1 Introduction 

This paper is a contribution to two directions of research: the investigation of 
code properties of ideals in ring constructions, and the study of structural matrix 
rings of graphs. 

It is well known that introducing additional algebraic structure results in sev- 
eral advantages for coding applications. For example, linear codes are in general 
better than arbitrary ones, cyclic codes are better than linear codes, and some 
most efficient codes have been introduced as ideals of group rings. The additional 
algebraic structure makes it possible to use a small number of generating ele- 
ments to store the whole code in computer memory, and to use these generators 
in faster encoding and decoding algorithms (see [7]). These circumstances have 
motivated serious attention of several authors to considering ideals of various 
ring constructions from the point of view of coding applications. We refer to the 
recent survey [6] and books [5], [8], [9] for earlier results on this topic. 

The second direction deals with graphs and their matrix rings. Throughout 
A is a finite field, the word graph means a directed graph without multiple 
edges but possibly with loops, and D = {V, E) stands for a graph with the set 
V = {1, 2, . . . , n} of vertices and the set E of edges. Edges of D correspond to 
the standard elementary matrices of the algebra M„(F) of all (n x n)-matrices 
over E. Namely, for (i,j) € E C V x V, let e(ij) = Cij = be the standard 
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elementary matrix. Denote by 



Md{F) = 0 

wGE 

the set of all matrices with nonzero entries corresponding to the edges of the 
graph D, and zeros in all entries for which there are no edges in D. It is well 
known and easy to verify that Mo{F) is a subalgebra of Mn{F) if and only if 
D saitsfies the following property 

{x,y),{y,z) G E ^ {x,z) G E, (1) 

for all x,y,z € V. In this case the Mu{F) is called a structural matrix ring. 
Structural matrix rings have been investigated by a number of authors, and 
many interesting results have been obtained (see, for example, [2], [3], [4], [10], 
[11], [12], and the monograph [5] for details and references on this direction). 

From the point of view of coding theory, the Hamming weights and informa- 
tion rates of ideals are of interest. Indeed, the minimum Hamming weight wh{C), 
i.e., the minimum number of nonzero coordinates of elements of the code (7 in a 
given basis, is important, because it gives the number of errors a code can detect 
or correct; and the information rate shows the ratio of the number of message 
digits, which form the information to be transmitted, to the number of all digits. 

Various types of ideals in structural matrix rings have been explored very 
well in the literature (see, in particular, [10] and [11]). However, properties of 
ideals essential for coding applications have not been addressed yet. The aim 
of this note is to find Hamming weights and upper bounds on the information 
rates of ideals in structural matrix rings. We consider only ideals with Hamming 
weight greater than one, because codes with weight one cannot detect even a 
single error. 



2 Main Theorems 

Our main theorem describes the Hamming weights of all ideals in structural ma- 
trix rings (Theorems 1). We also give an exact upper bound on the information 
rates of ideals with given Hamming weight (Theorem 2) . 

A few definitions are required for these theorems. The in-degree and out- 
degree of a vertex v G V are defined by 

indeg (u) = ]{w € V ] (w, u) € E}\, 

outdeg(u) = ]{w G V I (u, w) G A}|. 

A vertex of D is called a source {sink, isolated vertex) if indeg (u) = 0 and 
outdeg (u) > 0 (respectively, indeg (v) > 0, outdeg (v) = 0, or indeg (v) = 
outdeg (u) = 0). Denote by so(D) and si{D) the sets of all sources and sinks of 
D, respectively. For each vertex v G V, put 



so(u) = {u G so{D) I (u,v) G E}, 
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si(ti) = {u e si{D) I (v,u) G E}, 

V = V\{so{D) U si{D)) = {v & V \ indeg(w), outdeg (u) > 0}. 

In order to describe all pairs of the information rates and weights of all 
ideals, it suffices to find maximal information rates of all ideals with each value 
of the Hamming weight. Denote by Wid{D) the maximum number in the set of 
all minimum Hamming weights of ideals of the ring Mjy(F). 

Theorem 1. Let D={V, E) he a graph defining a structural matrix ring Mu{F). 
The maximum number in the set of all Hamming weights of ideals of the ring 
Mjj{F) is equal to 

Wid{D) =max{l,\En{so{D) X si(I?))|, | si(t;)|, | so(t;)|}. (2) 

vev 

For positive integers n,d, denote by kd{n) the maximum integer k such that 
there exists a linear (n,k) code with minimum distance d (see [7], [8] or [9]). If 
there are no codes of this sort, then we put kd{n) = 0. 

Theorem 2. Let D={V, E) he a graph defining a structural matrix ring Mu{F). 
For any I < d < Wid{D), all ideals of the ring Mu{F) with minimum weight d 
have information rate at most 



I 

W\ 



/cd(|si(r;)|) + kd{\ so(v)|) + kd{\E D (so{D) x si(D))|) 
v£V vev 



(3) 



Note that every structural matrix ring can be regarded as a semigroup ring. 
Let S' be a finite semigroup. Recall that the semigroup ring F'[S] consists of 
all sums of the form X^sgS where r^ G F for all s G S, with addition and 
multiplication defined by the rules 



s^S s^S s^S 



Vsgs / \tes / s,tes 

If S is a semigroup with zero 9, then the contracted semigroup ring Fo[S] is the 
quotient ring of F[S] modulo the ideal F9. Thus Fo[S] consists of all sums of 
the form Xe^sGS^s®’ elements of F9 are identified with zero. 

A graph D = (V, E) defines a structural matrix ring if and only if the set 



Sd = {9} U {eij I (i,j) G E} 

forms a semigroup, and both of these properties are equivalent to condition (1). 
Then it is easily seen that the structural matrix ring Md{F) is isomorphic to the 
contracted semigroup ring Fo[S'd]. Thus our note also continues the investigation 
of coding properties of ideals in semigroup rings started in [1] . 
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3 Proofs of the Main Theorems 

Proof of Theorem 1. First, we show that Mo{F) always has an ideal with Ham- 
ming weight given by (2). Consider all possible cases, which may occur in (2). 

Case 1: max{l, |i? fl ( so(D) x si(D))|, | si(r;)|, | so(w)| : w G F} = 1. In this 
case the assertion is trivial, since the Hamming weight of the whole ring Mo{F) 
is equal to 1. 

Case 2: max{l, |_En(so(Zl) x si(D))|, | si(u)|, | so(u)| : v gV} = |i?n(so(-D) x 
si(D))|. Denote by / the ideal generated in Mjy{F) by the element 





II 

M 


Cyj . 






so(D) X 


si(D)) 




It is easily seen that 








Md{F) ( Y. 


= i 


E 


Md{F) = 0 



w^Er\{so{D)x si(D)) j \wGEC\{so{D)x si{D)) 



Therefore / = Fx, and so wh{I) = wh{x) = \E (1 (so{D) x si(I?))|. 

Case 3: max{l, \E fl (so{D) x si(I?))|, |si(u)|, |so(w)| ■. v G V} = |si(u)|, for 
some u GV . Denote by I the ideal generated in M£>{F) by the element 

y ~ 'y ' S(u,v) ■ 

si(u) 

By the definition of si(rt), we get yMo{F) = 0. Hence 

I = E ^ e{u,v) + ^ ( F ^ ^(ui,v) 

si(u) {ui,u)^E \ si(n) 

Every edge of D occurs at most once in all sums of this expression. Therefore 
the Hamming weight of I is equal to | si(rt)|. 

Case 4: max{l, \E fl ( so{D) x si(D))|, | si(u)|, | so(u)| : u gV} = \ so(u)|, for 
some V GV. Denote by I the ideal generated in Mu{F) by the element 

^ ~ ^ ^ ^{u,v) • 

so{v) 




The definition of so(u) yields Md{F)z = 0. Therefore 



I — F ^ e.{u,v) + ^ I F ^ I • 

iaG so(t;) (v,vi)GE \ uG so(v) j 

Every edge of D occurs at most once in all sums of this expression. It follows 
that the Hamming weight of / is equal to | so(v)|. 
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Thus in all the cases Mu{F) has an ideal with Hamming weight given by 

( 2 ). 

Next, we take any ideal / of Mo{F), and show that it has Hamming weight 
at most (2). Obviously, we can assume that I yf 0. Choose a nonzero element 

(u,v)GE 

where € F. The following cases are possible: 

Case 1: yf 0 for some u,v € V. Since u £ V, there exists Ui such that 

(ui,u) £ E. Similarly, (u,ui) G E for some v\ £ V. It follows that le(ui,vi) = 
e(„i G I. Therefore in this case the Hamming weight of / is equal to 1. 

Case 2: X(u,v) = 0 for all pairs u,v £V, but xi^u,v) ^ 0 for some u £V . Hence 
V G si(w). Moreover, v' G si(u) for all v' £ V with yf 0. Since u £ V, 

there exists ui such that (ui,u) £ E. It follows that 

zG si(u) 



Therefore the Hamming weight of / is at most | si(u)|. 

Case 3: X(^,v) = 0 for all pairs u,v £ V, but yf 0 for some v £ V. We 

see that u G so(u). Moreover, u' £ so(v) for all u' £ V with X(u',v) ^ 0- Given 
that u G M, there exists v\ such that (u,ui) G E. It follows that 

zG so(v) 



Therefore the Hamming weight of / is at most | so(u)|. 

Case 4: = 0 if u £ V or v £ V. Then 

X £ ^ ^ X'ujOyj^ 

w^Er\{ so(£)) X si(D)) 

and so the Hamming weight of x is at most \E fl {so{D) x si(H))|. 

Thus in each of these cases the Hamming weight of / does not exceed Wid{D) 
given by (2). This completes the proof. □ 

Proof of Theorem 2. Consider any ideal / of the ring Mo{F), which has 
Hamming weight d, where 1 < d < Wid{D). 

Every element x G Mr){F) has a unique representation in the form x = 
Ew&e ^wSw, where x^ £ F. The element x^ is called the projection of x on w. 
Let 

I ^ ^ .f}- 

For any S C E, denote by Is the projection of I on S, that is the set 



Is = Iw 
wes 
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Let supp(/) be the set of edges w such that Iw ^ 0. 

If supp(/) n y 0, then / contains an element x such that ^ 0 for 

some u,v € V. We can choose Ui,vi with G B, (v,vi) G B, and get 

ls(ui,vi) = G I. This contradicts our choice of d and shows that 

supp(I) C {(u, si(u)) I V G y}U{(so(u), u) I V G y}U(ifn(so(Zl) X si(I?)). (4) 

Suppose to the contrary that the information rate of / exceeds (3). Then it 
follows from (4) that one of the following cases occurs. 

Case 1: | supp(/)n{(M, v) | v G si(M)}| > kd{\ si(M)|), for some u &V. Putting 

S' = {(u, u) I u G si(M)}, 

we get dim(/s) > si(M)|). Therefore wh{Is) < d. 

Take any element z & Is- There exists x G I such that z = xs- Since 
uGV, there exists uq GV such that (uo,u) G B. Clearly, the Hamming weight 
of Xs is equal to the Hamming weight of e(„p „)a; G /. Therefore 

wh{I) < wh{Is) < d. This contradiction shows that the first case is impossible. 
Case 2: | supp(/) fl {(u, u) | u G so(u)}| > kd{so{v)), for some v GV. Putting 

S = {(u,u) I u G so(v)}, 

we get dim(/s) > so(u)|). Hence wh{Is) < d. 

For each z G Is, there exists x G I such that z = xs- Since v G V, there 
exists v\ GV such that (u,ui) G B- The Hamming weight of xs is equal to the 
Hamming weight of xse^y^y^) = G /. Hence wh{I) < wh{Is) < d- This 

contradiction shows that the second case is impossible, either. 

Case 3: |supp(/) fl (so(Zl) x si(D))| > kd{{so{D) x si{D)))- Then it fol- 
lows that dim(/ C ■F’e(so(t,),«)) > kd{\so{v)\); whence wh{I) < wh{I n 

X]„Gt 7 -^6(so(t;),i>)) < d- This contradiction completes the proof. □ 

4 Special Cases 

A tournament G is a graph such that, for all distinct u,v G G, either (u,v) G 
B{G) or (v,u) G B{G), but not both. The following proposition shows that for 
many graphs D the bound (3) is exact. 

Proposition 1. Let D = {V,B) he a graph defining a structural matrix ring 
Md{B), and such that every connected component of the subgraph induced in D 
by the set 

{u G V \ si(M) yf 0} (5) 

is a tournament, and every connected component of the subgraph induced in D 
by the set 

{v GV \ so{v) yf 0} (6) 

is a tournament- Then, for every 1 < d < Wid{D), the structural matrix ring 
Md{B) has an ideal with Hamming weight d and information rate given by (3)- 
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Proof. Let C he a connected component of the subgraph induced in D by the set 
(5). Every tournament satisfying condition (1) is acyclic, i.e., it has no directed 
cycles. It is well known that every acyclic graph can be topologically ordered. 
This means that we may reorder the vertices {ui, U2, ■ ■ ■ , Uk} of the tournament 
C so that it has an edge (ui,Uj) if and only if f > j. Put Si = si{ui). It follows 
from condition (1) that 

SiCS2C...CSk. 

By induction we can define subspaces Li of si(ui) such that w{Li) = 

d, dim(Li) = kd{J 2 ve si{ui) ^^(ui,v)) Li C L2 Q ■ ■ ■ C Lk- Straightforward 
verification shows that the union of these subspaces is an ideal of Mo{F). 

Now, let C he a connected component of the subgraph induced in D by the 
set (6). Relabel the vertices {vi,V 2 , ■ ■ ■ , Vk} of the tournament C in the opposite 
direction so that it has an edge {vi,Vj) if and only if i < j. This time we put 
Si = so{vi). Again it follows that 



SiCS2C-.-CSk. 

By induction we can define subspaces Li of '^uesi{vi) such that w{Li) = 

d, dim(Lj) = kd{Y,uesi(vi) and Li C L2 C • • • C Then it is easily 

seen that the union of these subspaces is an ideal of Md{F). 

Denote by S the sum of these ideals obtained above for all connected com- 
ponents C of the subgraph of D induced by the set (5), together with the sum 
of ideals given above by all connected components of the subgraph induced in 
D by the set (6). Then the sum 

S + ^ ^ FCyj 

w^{Er\{so{D)'>< si(r))) 

has the required information rate given in (3). □ 

The following example shows that the exact values of information rates in- 
tricately depend on the structure of the graph D, and for some graphs may be 
less than the bound (3). 

Example 1. The graph D = {V, E) with the set V = {1, 2, 3, 4, 5, 6, 7} of vertices 
and adjacency matrix 

To 0 0 0 0 0 O' 

0000000 
0000000 
0000000 
1110000 
0 1110 0 0 
1111111 

satisfies condition (1), and so it defines a structural matrix ring Mjd,{F). Let 
d = 3, and let F = GF{2). The largest linear subspace with Hamming weight 
2 in Fe(5,i) -I- ^6(5^2) + ■^’6(5^3) is generated by 6(54) -I- 6(5,2) + 6(5,3), and so it 
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has dimension equal to fc3(|si(6)|). It contains all vectors of Hamming weight 

3. Similarly, the largest linear subspace with Hamming weight 3 in i^e(g,2) + 
^6(6,3) + is generated by e(g,2) + 6(6,3) + 6(6,4), and so it has dimension 

equal to fc3(|si(6)|), too. However, if we consider the ideal generated by these 
spaces, it has smaller Hamming weight. Indeed, 

6(7,5)(6(5,1) + 6(5,2) + 6(5,3)) + 6(7,6) (6(6,2) + 6(6,3) + 6(6,4)) = 6(7,1) + 6(7,4)- 

It follows that all ideals of Mu{F) with Hamming weight 3 have information 
rates strictly less than the upper bound given by (3). 
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Abstract. We give a new description of the so-called hyperbolic codes 
from which the minimum distance and the generator matrix are easily 
determined. We also give a method for the determination of the dimen- 
sion of the codes and finally some results on the weight hierarchy are 
presented. 

Keywords: Hyperbolic codes, generalized Hamming weights. 



1 Introduction 

In [9] Saints and Heegard considered a class of codes called hyperbolic cas- 
caded Reed-Solomon codes which can be seen as an improvement of the gen- 
eralized Reed-Muller codes RMg(r, 2). The construction was further generalized 
by Feng and Rao in [2] to an improvement of the generalized Reed-Muller codes 
RMq (r,m) for arbitrary m. Feng et al. also estimated the minimum distance of 
the new codes. The codes were further studied in [8] and [5] where the minimum 
distance was estimated by means of order functions and it was shown using the 
theory of order domains that the codes are asymptotically bad with respect to 
the order bound and the codes were renamed hyperbolic codes. In [3] and [4] 
Feng et al. used the so-called generalized Bezout’s theorem to determine the 
minimum distance and the generalized Hamming weights of several codes and it 
was realized by Geil and Hpholdt in [6] that these results could be obtained by 
using the so-called footprint from Grobner basis theory. In this paper we use the 
footprint to construct a class of codes where the minimum distance is easy to 
determine, this is done in section 2. In section 3 we then show that these codes 
are actually the hyperbolic codes, thereby obtaining generator matrices of these, 
and give a method for the determination of the dimension. It follows that the 
estimation in [8] of the minimum distance of the hyperbolic codes actually gives 
the correct minimum distance. Section 4 is devoted to the generalized Hamming 
weights of the codes and section 5 is the conclusion. 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 159-171, 2001. 
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2 A Class of Codes with Known Minimum Distance 

In this section we give a new description of a class of codes related to the poly- 
nomial ring Wq[Xi, . . . , Xm], m > 1. We determine the minimum distance of 
the codes. The presentation of the codes relies on the Grobner basis theoretical 
concept of a footprint. 

Definition 1. Assume we are given an ideal 

I ={F,{X„...,X^),...,Fi{X„...,X^))CWq[X„...,X^] 

and a monomial ordering < on the set Aim of monomials in the variables 
Xi, . . . , Xm ■ The footprint of I with respect to -< is given by 

A^{I) := {M G Aim I M is not a leading monomial of any polynomial in 1} . 

In order to estimate/find the minimum distance of the codes that we are just 
about to define we will need the following result known as the footprint bound. 
For a proof of the theorem see [1]. 

Theorem 1. Assume we are given an ideal I and a monomial ordering < such 
that A^{I) is a finite set. Then the size of A^{I) is independent of the actual 
choice of Let Fg denote the algebraic closure ofTFq. The number of common 
solutions in (Fg)™ of Fi{Xi , . . . , Xm),- ■ ■ , Fi{X \, . . . , Xm) is at most equal to 
In other words the size of the variety Vjp (I) satisfies #Vjp (I) < 
ffA^{I). In particular ffVwq(I) < ffA^{I) holds. 

Definition 2. Given a polynomial ring Fg[Xi, . . . , Xm] and an indexing F™ = 
{Pi, P 2 j • ■ • ) Tri} 7 where n = q"^. Consider the evaluation map 

[Wq[X,m--,Xm]^ F^ 

I F ^ (P(Pl),...,P(P„)) . 

Define the map 

J Aim Flo 

M ^#A^((M,X^,...,X‘f}) 

and define the code P(s) := Spanjp^{ev{M) \ M G Aim, D{M) < s}. 

Note that the value D{M) is easily calculated. It is simply the number of mono- 
mials in Aim that are not divisible by any of the monomials M,Xl, . . . ,Xf^. 



Remark 1. As ev{NXf) = ev(NXi) and D{NXf) > D{NXi) for N G Aim we 
need in the definition of E{s) only consider monomials M such that deg; 7 f . M < q, 
i = 1, . . . , m. It is well-known that the restriction of ev to 

Spauip^^jM G Aim I degjf. M < q, i= 
is an isomorphism. Hence, for s large enough E(s) = Fg . 
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Definition 3. We define 

:= {M G Mm I degjf. < q for i = 1, . . . , m, and D{M) < s} . 
Using this notation we have 

E{s) = SpanjpJev(M) | M G . 



Example 1. In this example we construct the code E{19) related to W 3 [Xx,X 2 ,Xfi\. 
To this end we register in the matrices Ai, A 2 and A^ below the values 

{D{M) I M G Ms, deg^. M < 3, for i = 1, 2, 3} . 

The matrices should be read as follows. The entry in position (i,j) in A^. is 
DiXl^Xf^X^-^). 



■ 0 9 18' 




9 15 21' 




'18 21 24' 


9 15 21 


A 2 = 


15 19 23 


A3 = 


21 23 25 


18 21 24 




21 23 25 




24 25 26 



So 

E{19) = ev (SpanipJM | M G 7Wf^(19)}) 

= ev (Span,F3{l, Xi,Xf,X 2 , X 1 X 2 , X|, X3, X1X3, X2X3, X1X2X3, X|}) 

and if(19) is of dimension k = 11. Obviously the code is of length n = 3^ = 27. 

A first study of the parameters of the codes reveals the following. 

Proposition 1. The code E{s) is of length n = q™ and minimum distance 
d>q"^-s. 

Proof. The first part is obvious. To show the last part we fix an arbitrary mono- 
mial ordering A code word in E(s) can be written where for 

z = l,...,t, 7^ G IF9, M, G Mi^\s) holds. We may without loss of generality 
assume Mt >- Mj for j = 1, ... t — 1 and jt 0. Now 

t 

X!-Xs,...,Xl- Xm)) C Xf, X^J) 

and in particular 

t 

ffA^{{J2 7*^*, Xl-X„...,Xl- Xm)) < s . 

i=l 

By the footprint bound the maximal number of positions where the codeword is 
equal to 0 is at most s and the bound d>q^ — s follows. 
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We note that one can also prove Proposition 1 by using the tecniques in [10]. As 
we shall soon see we can say even more whenever s is chosen properly. 

Definition 4. Define S := {D{M) \ M € Alm,deg;^. < q, z = 1, . . . ,m} . 

Theorem 2. For any s' G INq there exists a unique s € S such that E(s') = 
E{s). The minimum distance of E{s) is given by d= q"' — s. 

Proof. The first part follows from the very definition of the codes in combination 
with Remark 1 . To show the last part we need by Proposition 1 only find a code 
word ev(^*^^ 7 i in E{s) of weight q"' — s. That is to say we need only find 
a nonzero polynomial X)i=i ( 7 * G Fg, Mi G Mm\s) for z = 1, . . . , t) that 

possesses s different zeros in F™. We first choose any M G Mlm\s) such that 
D(M) = s. Say M = X^' ■■■ . Hence 

s = #A^((M, XI, ...,Xl)) = q'"-{q- a,){q - a^) ■ ■ ■ {q - a„) . 

Index the elements of F^ by Fg = {a \, . . . , aq}. Consider the polynomial 

P{Xi, . . . , A™) = (Ai - ai) • • • (Ai - aa,){X2 - m) • • • (A 2 - 
{^m Oi\) ' ' ' (^XjYi ) • 

This polynomial is of the desired form. And the elements in F™ that are not 
a zero of P are precisely the elements of the form , . • . , ) with ai < 

zi, 02 < Z 2 , . . . , am < im- So P has q"' — {q — ai){q — 02 ) ■ ■ ■ {q — am) = s different 
zeros and we are through. 



Example 2. This is a continuation of Example 1. We have D{XiX 2 X 3 ) = 19 G S'. 
Hence by Theorem 2 the minimum distance of if (19) is given by d = 3^ — 19 = 8. 

In the following we will always assume that s G S. 

3 Hyperbolic Codes 

In [8, p. 922] the so-called hyperbolic codes are considered. 

Definition 5. Let 

m 

(s) := {Xf^ • • • G Mm I a* < 9, i = 1, • . • , m, + 1) < 9™ - 4 

i=l 



The hyperbolic codes are now defined as follows. 

Definition 6. Hypy{s,m) := {c G F^ j (c, ev{M)) = 0 for all M G Mm\s)}. 
Here n = q'" and ( , ) denotes the standard inner product in F^. 




On Hyperbolic Codes 163 



In [8] the minimum distance of these codes is estimated using the order bound. 
One gets d(Hyp^(s, m)) > q^ — s. Theorem 2 and the following result proves that 
this estimate actually is equal to the true minimum distance of the hyperbolic 
code. 

Theorem 3. Consider Fg[Xi, . . . ,Xm] then E{s) = Hypg{s,m). 

Proof. We first note that if Me and 7VeA/’m^(s) then (ev(M), ev(iV)) = 



0. To see this let M = Xf^ ■ ■ 




- and Ai = X^^ ■ ■ • 


then 






q 


q 


q 




(ev(M),ev(iV)) = 


E 


ai+bi ^2+b2 


■■■ E 


(1) 




ti—i 


Z2 = l 







where = {ai , . . . , a^}. If there exists an i such that ^ 0 mod {q — I) 

then (I) is obviously zero and the same is the case if there exists an i such 
that Qi + bi = 0, so we only have to consider the case where at + bi = q — 1 or 
2{q — 1) for all i. Suppose ai + bi = <? — 1, i = 1, . . . , r and ai + bi = 2{q — 1), 
t = r + 1, . . . , m. This of course implies that ai = bi = q — 1 for i = r + 1, . . . , m. 
Now - n™i(<? - cii) < s so 

m r m 

q^-s< n(9 - a*) = - 5) 

which is a contradiction, so the case actually never occurs. This proves that 
E{s) C Hyp^(s,m). 

On the other hand we have that 

dim(Hyp ,j(s,m)) 

m 

= 9™ -#{(«!, ■•■ , flm) I 0 < Oi < g, t = 1, . . . , m, + 1) < g™ - s} 

m 

= #{(ai, . . .,am) I 0 < a* < = 1, . . . ,m, + 1) > g"" - s} 

i=l 

and 

dim(if(s)) 

= #{(oi, . . . , am) I 0 < Oi < g, i = 1, . . . , m, D{Xf^ ■ ■ ■ Xf^) < s} 

m 

= #{(oi, . . . , am) I 0 < Oi < g, i = 1, . . . , m, J]^(g - at) > g"" - s} 

i=l 

where dim(C') denotes the dimension of the code C. It is clear that the mapping 

(zi, . . . ,Zm) (g - zi - 1, . . . ,g - Zm - 1) 

is a bijection from 

m 

{(oi, . . . , am) I 0 < Oi < g, t = 1, . . . , m, J]^(g - a*) > g"" - s} 

Z=1 
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to 

m 

{(ai, . . . , Qm) \ Q<ai<q,i=l,...,m, Jl(ai + 1) > 9™ - s}. 

i=l 

So the two codes have the same dimension and we have completed the proof. 



Remark 2. It follows from Theorem 3 that we now have the generator matrices 
of the hyperbolic codes. 

For a G IN we define 

m 

V{m, a) := #{(xi, . . .jXm) | G IN, 1 < < g, i = 1, . . . , m, JJxi < a} 

then it follows from above that 

dim(Hypg(s, m)) = — V {m, g™ — s — 1). 

It is not obvious how to get a closed form expression for V (m, a) but since 
V{l,a) = min{a,g} and V{m,a) = Lf J) easily cal- 
culate V{m,a) recursively. One can verify that V(2,a) = Lf J 

where b := min{[|J,g} and the last sum is zero if 6 > g. For g = 2 we get 

V{m,a) = (T) ® ^ agreement with the fact that the 

classical binary Reed-Muller codes are hyperbolic codes. 

The description in [8] of the hyperbolic codes is based on order domain theory. 
From the theory in [8] it is clear that the hyperbolic code construction is an 
improvement of the generalized Reed-Muller code construction in the following 
sense. For every generalized Reed-Muller code there exists an hyperbolic code 
of designed minimum distance d* = g'" — s such that d* equals the minimum 
distance of the generalized Reed-Muller code (in this paper we have shown that 
in general the designed minimum distance d* equals the true minimum distance 
of the hyperbolic code). The first code is in some cases of the same dimension 
as the latter, in other cases of higher dimension. Further there are many more 
hyperbolic codes related to [Xi , . . . , X^] than there are generalized Reed- 
Muller codes. We illustrate these observations by an example. 

Example 3. We look at the case g = 64 and m = 3. There are 190 different 
generalized Reed-Muller codes RM 64 (r, 3) and 14 224 different hyperbolic codes 
Hypg 4 (s, 3). The graphs in Figure 1 are generated by a pointplot routine. Every 
-|- corresponds to a generalized Reed-Muller code of the given parameters. The 
graph marked with a o corresponds to the hyperbolic codes. It appears that given 
a generalized Reed-Muller code, then in almost all cases there are hyperbolic 
codes that are of larger minimum distance and are of larger dimension. This 
was of course one of the reasons for considering the hyperbolic codes in the first 
place (besides the fact that we get many more codes). 
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k/n 

Fig. 1. 



It is well-known that generalized Reed-Muller codes are asymptotically bad and 
it follows from [5, Corollary 2] that the hyperbolic codes are also asymptotically 
bad since their minimum distance as we have seen equals the order bound. 



4 The Generalized Hamming Weights 

In this section we are concerned with the generalized Hamming weights of the 
hyperbolic code. The idea of generalized Hamming weights for a linear code 
is to generalize the concept of the minimum distance. We have the following 
definition. Given 



U = {ui = (mii, . . . , Uin), ...,Us = {Usl, ■■■, ««„)} C F” 
define the support of U to be 

Supp([/) := {i I But G U with uu yf 0} . 

Consider a linear code C of dimension k. For h = 1, . . . ,k the hth generalized 
Hamming weight is defined to be 

dh := min{#Supp(C/) | C is a linear subcode of C of dimension h} . 

The set {c?i, . . . , dk\ is called the weight hierarchy for C. 

As we will show below the ht\i generalized Hamming weight of the hyperbolic 
code Hypg(m, s) is related to the following number. 
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Definition 7. 

Vtiq, s, m) := max{#Z\^((Mi, . . . , Mh, Xf,..., X^)) 

I Mi ^ Mj for i ^ j, Mi G MI^'> (s) for i = I, ... ,h} . 

Note that the number ffA^{{Mi, . . . , Mh,Xf, . . . , Xff)) is easily calculated. It 
is simply the number of monomials in Atm that are not divisible by any of 
the monomials M \, . . . , Mh, X ^, . . . , Xf^. To ease the notation we will in the 
remaining part of this paper use the following notation. Given F = {Mi, . . . , Mi} 
then we denote 

{F,Xf, ...,Xl):= (Ml, . . .,M,,Xl . . . ,X^) . 

To establish the correspondence between r]h{q,s,m) and the Mh generalized 
Hamming weight we will need the following definition. 

Definition 8. For Mi, . . . , Mh G Mm where h>2, let gcd{Mi, . . . , Mh) denote 
the greatest common divisor of Mi, . . . ,Mh. For a single element Mi G Mm we 
write gcd(Mi) := Mi. The set D = {Mi, . . . ,Mh} Q M\^{s) is said to he a 
dense set related to Hyp^{s,m) if 

[X\^---X^- gA^{{D,XI...,XI)) \ a, <bi,i= I,..., m}CM^^\s) , 



where = gcd(Mi, . . . , Mh). A set D = [Mi, . . . , Mh} C M^m{s) is 

said to he an optimal set of size h related to Hyp^{s,m) if Mi ^ Mj for i ^ j 
and 

41^A^{{D,Xl,...,Xlf)) =rih{q,s,m) . 

Example 4- This is a continuation of Example 1 and 2. The optimal sets of size 2 
corresponding to Ai3^^(19) are [XiXj, X 1 X 2 X 3 }, i ^ j. Hence ??2(3, 19,3) = 11. 
All these sets are dense as for all choices oi i,j, i ^ j 

{Xl^X{{^Xl^ G A^{{X,Xj,XiX 2 Xn, Xl, Xl,XD) 1 1 < 6i, 1 < 6,} = 0 CTWf (19) 

holds. 



Example 5. Let M' = Xf^ ■ ■ ■ Xf^ G Mm be any monomial. Clearly 

G A^((M', X\, ..., Xlfj) I a, < z = 1, . . . , m} 

is equal to the empty set. Hence, in particular any optimal set of size 1 related 
to Hyp,j(s,m) is dense. 

Having introduced the concept of a dense and optimal set related to Hypg(s, m) 
we are now able to state the following theorem concerning the ht\i generalized 
Hamming weight. By Example 5 this theorem is a generalization of Theorem 2. 
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Theorem 4. The hth generalized Hamming weight of Hyp^{s,m) satisfies 

dh>q""-Vh{q,s,m). ( 2 ) 

If a dense optimal set of size h related to Hyp^(s,m) exists then equality holds 
in (2). 

Proof. To see the first part we argue as in the proof of Proposition 1. Consider 
an h-dimensional subspace 

SpanipJev(^ 7 aMa), . . . ,ev(^ 7 ,,iMi/j)} CHyp^(s,m) . 



We may without loss of generality assume that all belongs to A4m\s), that 
Mtjj >- Mkj and ^ 0 holds for j = 1, . . . , h and k = 1, . . . ,tj — 1. Further we 
may assume that Mt^i, . . . , Mt^h are different. Now 

, Eti XI - Xi, . . . , - X„)) 

Hence, by the footprint bound and the definition of r]fi{q, s,m) the maximal 
number of common zeros of 

X^} 

i=l i=l 



is at most r]h{q, s, m). The bound dh > q"^ — r]h{q, s, m) follows. 

To prove the last part of the theorem assume next that we are given a dense 
optimal set Dx = {Mi, . . . , M/,} related to Hypg(s, to). From above we know 



dhPq'^ 

What remains to be shown is 


-*A^{{Dx.. 


,Xf,.. 


■,XD) . 


(3) 


dh<q'^ 


-#A^{{Dx., 


,Xf,.. 


■,XD) . 


(4) 



Clearly (3) and (4) together proves the theorem. To establish (4) let 

=gcd(Mi,...,M^) 



and define 

D 2 |a,<6,forf=l,...,TO} . 

The proof of (4) requires three results. To show the first of these three results 
first observe that Di C D 2 - Hence, 



A^{{D2, XI . . . , XI)) C A^({Dx,Xl . . . , XD) . 
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Next observe that by the assumption that D\ is dense the elements in 
A^{{Di,Xl, . . . , X^)) that are not in Z\^((Z?2, , Xj^)) are all in Mm\s). 

And finally observe that by the definition of D2 there are precisely #£>2 elements 
in Xlq™^(s) that are not contained in Z\^((I?2,X®, . . . ,X^)). Among these the 
monomials M \, . . . , Mh- From the above observations we conclude 

#A^{{D,,Xl...,Xl))-#A^{{D 2 ,Xl...,Xl))<#D 2 -h . ( 5 ) 

This is the first result needed to prove ( 4 ). Next denote as earlier in this paper 
Fg = {oi, . . . , aq}. Define the map V \ D2 ^ Fg[Xi, . . . , X^] by 

V{Xl^ ■ ■ := (Xi - ai) ■ . ■ (Xi - a,J(X 2 - ai) ■ ■ ■ (X2 - a,J 

{Xjfi C^l) * * * (^m ) * 

Now Spanjp^{ev(P(M)) | M G £>2} is a #H2 dimensional subspace of Hyp^(s, m). 
By the very definition of £>2 we have < bi for f = 1 , . . . , m. Therefore 

(Xi — ai) • • • (Xi — aai)(X 2 — ai) ■ ■ ■ (X2 — 002) ’ ’ ’ — CKi) ■ ■ ■ (Xm — CTam) 

is a factor of all the polynomials in the image of P. So the size of the support 
of the #£>2 dimensional subspace Spanjp^{ev(P(M)) | M G £>2} is at most 
{q - ai){q - 02) • • • (g - a„). We get 

d#r>2 < (<? - ai){q - 02) • • • (g - am) 

= <r - {(T -{q- ai){q - 02) • • • (g - am)) 

= q^-#A^{{D 2 .Xl...,XD) . ( 6 ) 

This is the second result needed to prove ( 4 ). The third and last result needed 
to prove ( 4 ) and thereby the theorem is the following well-known fact that holds 
for an arbitrary code C . Namely that 



dh < dh+i — 1 (7) 

for any h, 1 <h < dim(C). Using (7), (6) and (5) respectively we get 

dh < d^D2 — (#£*2 — h) 

<q^~ #A^{{D2,Xf , . . . , X^)) - (#D2 - h) 

<q^~ X«, . . . , X^)) + (#D2 -h)- (#D2 - h) 

= g'"-#A^((Di,X«,...,X^)) 

and (4) is established. The proof is completed. 



Example 6. This is a continuation of Example 4. By Theorem 4 we have 
d2(£(19)) = 33 - 7 ^ 2 ( 3 , 19, 3) = 27 - 11 = 16. 
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Example 1. Consider the code Hyp5(16,2). The set Di = {X| , 
is a dense and optimal set of size 3. We have Xf , X|)) = 11. Hence, 

by Theorem 4 da = 5^ — 11 = 14. Following the ideas of the proof of Theorem 4 
we note that gcd(X|, XiX|, and we therefore consider D 2 = 

{X 2 , X 2 , X 1 X 2 , X^X^}. Now it can be shown that the set D 2 in the proof 
of Theorem 4 is in general a dense and optimal set related to Hyp^ (s,m). In 
particular the set D 2 from this example is a dense and optimal set related to 
Now #A^{{D 2 ,Xf,Xl)) = Xf , X|)) - 1 is easily seen. 

We conclude ^4 = da + 1 = 15. 

We give a special treatment to the second generalized Hamming weight of 
HyPq(s,2). 

Lemma 1. Given a hyperbolic code Hyp^(s,2) of dimension at least 2 then there 
exists an optimal dense set of size 2 related to 

Proof. Let O = {XfX^, X‘f~^^X 2 ~'"} C M^ 2 \^) be an optimal set. We will show 
that either O is dense or another optimal set exists that is dense. Optimality 
requires that neither —u,v < 0 nor —u,v > 0 can hold. We therefore without 
loss of generality assume that m, v>0. Ifu = 0oru = 0 then O is dense and we 
are through. In the remaining part of the proof we therefore assume u,v > 1. 
We first assume u = v = 1. As Xf~^^X 2 ~^ is contained in Xl^^^s) we must have 

l<l<q— 1 — a. (8) 

Consider 

#A^{{XfXlXf+^X!^-\XlXl)) = (g2 _ _ a){q - b)) - l{q - a - 1) 

= {aq + bq — ab) — {q — a)l + l^ . (9) 

Now (9) describes a polynomial in I of degree 2 with global minimum in I = 
{q — a)!2. This (possible non integer) value of I is situated precisely in the 
center of the interval [l,q — 1 — a]. Hence, by the assumption that an optimal 
set {XfX 2 ,Xf~^^X 2 ~^} exists and by (8) we conclude that {XfX 2 ,Xf~^^X 2 ~^} 
is an optimal set. This set clearly is dense. Finally we assume without loss of 
generality that 0 < v < u. We have 

^A^{{XfXl Xl, XI)) 

= <7^ - (d - (a + u)){q -{b- v)) - u(q - b) 

< q^ - {q - a - u){q - b + v) - {q - b) - v{q - b) . (10) 

Consider the dense set 

O’ := {X“+“-iX2^-",X“+“X2^-"} C M^^\s) . 

We have 

#z\^((ds:“+“-ld^2^-^ x“+“X2^-^ xf, x|)) 

= q^ — {q — a — u){q — b + v) — {q — b) — V 
> q^ - {q - a - u){q - b + v) - {q - b) - v{q - b) 



( 11 ) 
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where the last inequality follows from the fact b < q — 1 (this is a necessary 
condition for to be contained in Comparing (10) and (11) we 

see that if O is optimal then also is O'. The proof is completed. 

Proposition 2. The second generalized Hamming weight of a hyperbolic code 
Hyp^{s, 2) of dimension at least 2 is given by d 2 = (f' — ri 2 {q, s, 2). 

Proof. By Theorem 4 and Lemma 1. 

Having a dense and optimal set of size h one might hope that it is possible to 
add a monomial to get a dense and optimal set of size h + 1. However, as the 
following example illustrates this strategy is not in general fruitful. 

Example 8. Consider the code Hypy(42, 2). Now and are the only mono- 
mials in Al2^^(42) that are mapped to 42 under the map D. That is {X^} and 
{X|} are the only optimal sets of size 1 related to A42^^(42). We want to illustrate 
that if a set {Mi, M 2 } is an optimal set of size 2 related to Hypy(42, 2) (meaning 
in particular that Mi yf M 2 ) then neither X^ nor can belong to the set. By 
symmetry it is enough to consider Xf. To maximize ffA^{{Xf,N,Xl,X 2 )) we 
must choose N = X^X^. Now {Xf , XfX^} is not dense. Using the construction 
from the proof of Lemma 1 we recognize that {X^X^, is a dense set with 

ffA^iiX^XlX^XlxlX^)) > ffA^i(XlX^XlxlX^)) . 

By inspection the first number is 39 and the last is 38. By further inspection we 
find that actually {X^X^, XfX^} is optimal. We conclude that d2(Hypy(42, 2) = 
72 - 39 = 10. 

Remark 3. In [7] Heijnen and Pellikaan gave a general method for bounding 
the generalized Hamming weights for a class of duals of evaluation codes and 
obtained exact values for the generalized Reed-Muller codes. It seems likely 
that a generalization of their results to a larger class of codes would give our 
bound (2). 

We leave it as an open problem to find the answer to the following question. For 
which values of q, s, m and h, 1 < h < dim(Hyp,j(s, m)) does Hyp^(s, m) possess 
a dense and optimal set of size hi We note, that the answer to this question may 
possible be that all choices of q, s, m and h ensures that a dense and optimal set 
of size h exists. 

5 Conclusion 

Using the concept of a footprint from Grobner basis theory we have given a new 
description of the hyperbolic codes such that their minimum distance and gener- 
ator matrix are easily determined. We also presented a method for the determi- 
nation of the dimension of these codes and gave lower bounds on the generalized 
Hamming weights with a criterion for having equality in these bounds. Whether 
it is always possible to meet this criterion is left as an open problem. 
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Abstract. Fast interpolation methods for the original and improved 
versions of list decoding of one-point algebraic-geometry codes are pre- 
sented. The methods are based on the Grobner basis theory and the BMS 
algorithm for multiple arrays, although their forms are different in the 
original list decoding algorithm (Sudan algorithm) and the improved list 
decoding algorithm (Guruswami-Sudan algorithm). The computational 
complexity is less than that of the conventional Gaussian elimination 
method. 



1 Introduction 

List decoding is a kind or rather an extension of bounded-distance decoding. 
While the conventional bounded-distance decoding aims to find a unique code- 
word within the error-correction bound, i.e. half the minimum distance, the list 
decoding attemps to give all the codewords within the Hamming sphere hav- 
ing a given received word as its center and a certain radius greater than half 
the minimum distance. Sudan [1] invented an algebraic method with polynomial 
complexity for list decoding of RS codes with coding rate less than Soon 
later his method was extended to one-point algebraic-geometry (AG) codes by 
Shokrollahi and Wasserman [2]. Furthermore, Guruswami and Sudan [3] pre- 
sented an improved version of Sudan algorithm for both RS and one-point AG 
codes, which is effective even for higher coding rate. We call the original algo- 
rithm [1][2] and the improved one [3] Sudan algorithm and Guruswami-Sudan 
(GS) algorithm, respectively, where GS algorithm is a generalization of Sudan 
algorithm in the sense that the former is reduced to the latter by taking a special 
value of its parameter. Either of Sudan and GS algorithms is composed of two 
main procedures, where the first is to find a kind of interpolation polynomial 
or function and the second is to factorize the outcome from the first procedure 
into linear factors over a function field so that one can get all the candidates 

^ This work is partly supported by the Science Foundation of the Japanese Educational 
Ministry under Grant No. 12650368. 
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for desired codewords. Both procedures are algebraic and have polynomial com- 
plexity, but their original forms have much complexity. Several efficient versions 
have been investigated, among which are fast interpolation algorithms given by 
Roth and Ruckenstein [4], Numakami, Fujisawa, and Sakata [5], Olshevsky and 
Shokrollahi [6], etc., and fast factorization algorithms by Augot and Pecquet 
[7], Matsumoto [8], Wu and Siegel [9], Gao and Shokrollahi [10], etc. Particu- 
larly, a fast interpolation method [5] for GS list decoding of RS codes was given 
based on a modification of the BMS algorithm [11]. Further, a fast interpolation 
algorithm [12] for Sudan list decoding of AG codes can be obtained based on 
the BMS algorithm [13] since the required system of linear equations has a nice 
structure such as block-Hankel matrix suitable to fast algorithm in these cases. 
On the other hand, the counterpart for GS list decoding has not been given yet, 
though some proposal [15] has been offered. Reformulations of GS algorithm 
for RS codes and AG codes were presented by Nielsen and Hpholdt [14] and 
by Hpholdt and Nielsen [15], respectively, based on some results by Feng and 
Blahut [16]. 

In this paper we present some new proposals of fast interpolation for GS list 
decoding of one-point AG codes in the framework of the Hpholdt-Nielsen theory 
[15]. They are inspired by Grobner basis theory, which has not been referred 
to in any previous relevant works for list decoding of one-point AG codes, and 
based on the BMS algorithm [1 1] for multiple arrays in a fashion different from 
that used in the fast interpolation of both GS list decoding for RS codes and 
Sudan list decoding for one-point AG codes. 

2 Preliminaries 

In this section we present a brief survey of one-point AG codes, particularly Her- 
mitian codes, and GS list decoding algorithm for one-point AG codes according 
to the formulation by Hpholdt and Nielsen [15]. 

2.1 Hermitian Codes 

In this paper we discuss Hermitian codes in most cases, but we can treat any 
one-point AG codes in a similar fashion. A Hermitian code over a finite field F, 
is defined from a Hermitian curve X: -I- + y = 0, where q = q\, and we 

restrict ourselves to consider the case of the field F, with characteristic 2, i.e. 
qi = 2'^ , q = q\ = 2^°’. The curve is nonsingular and has genus g = ^ 

N = q\, let V = {Hi, ^ 2 ) • • • ) Pn} be all the Fg-rational points of the curve X 
except for the infinity point Poo- For the ideal Ix = +y‘^^ +y) C Fg[a;,y], 

we have the coordinate ring P(T) = Yq\x,y]/ Ix and the function field Fg{X) on 
the curve X . Then, for a fixed integer m, a Hermitian code is defined as C = {c = 
(ci) € \ci = f{Pi), ^ < I < N, f G C{mPoo)} by a linear subspace C{mPoo) of 
the linear space £(ooPoo) which is the set of all algebraic functions / G Pq{X) 
having a single pole at the point Poo- The set £{ooPoo) can be identified with the 
ring R := P{X) in case of the Hermitian curve, and it is spanned by the set of 
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functions {a;*y^|(t, j) G E} for a subset E := G Zg|0 < i,0 < j < qi — 1} 

of the 2D integral lattice Zg, where we remark that the functions x, y have pole 
orders o{x) = —vp^ {x) = q\, o{y) = —vp^ (y) = gi + 1, respectively. We arrange 
the basis elements (j>i,<j> 2 ,- ■ ■ of £(ooPoo) in increasing order w.r.t. pole order 
o; = —vp^{4>i) such that oi = 0 < 02 < 03 < • • •, where oi = I + g — 1 \i 
^ ^ 5 ) by Riemann-Roch theorem. This order induces the total order <t over 
the 2D set E as the (gi, + l)-weighted order and the multidegree of a function 
or polynomilal / = E(*y)GSupp(/) fijX'^y^ G R as deg(/) := maxTSupp(/) G E, 
which we call the degree of / simply. If n > m > 2^ — 1, the code C has dimension 
K := dim(C) = m — (/ + 1 and minimum distance d > d* := N — m, where 
C{mPoo) = - ■ ■ ,<I>k) = {x"y^\{ij) G E,qii+ {qi + l)j < m). For list 

decoding of Hermitian codes, it is required to find all the codewords c = (c;) G C 
such that d{c,w) < r for a given received word w = {wi) G and an integer r 

(> L^J)- 

2.2 GS List Decoding of Hermitian Codes 

For a received word w = (wi) G F^, we consider the 3D points Pi = (Ppwi) = 
(ai,/3i,wi) G F^, 1 < I < in addition to the 2D points Pi = (a;,/?/) G P, 
1 < I < N, on X. Furthermore, we consider the polynomial ring R[z\ com- 
posed of polynomials with coefficients in R, which is spanned by functions 
of the form <l>i = 4'iz’^, whose order is defined as p{4>iz^) := oi + km [15]. 
Again we arrange the basis elements d>i in increasing order w.r.t. p{d>i) such 
that p(^o) < d(^i) < p(^ 2 ) < Correspondingly, we have the total or- 
der <g;, over the 3D set E := E x Zq {C Zg) as the (< 71,91 -I- 1, m)-weighted 
order, and the degree (i.e. multidegree) of a function or trivariate polynomial 
Q{x,y,z) = 'E(i,j,k)€Supp{Q)Qijkx"y^z’^ (Supp(Q) C E) as deg{Q{x,y,z)) := 
maxrpSupp(Q) G E. In C{mPao), instead of the above-mentioned basis {4>i,(f>2, 
• • • ) we can take another basis called an increasing zero basis , • • • , 

4>^^} for each point Pi, I < i < N, where the functions have a zero of 
increasing multiplicities at the point Pi, i.e. the valuations (> 0), 

1 < fc < AT, are such that uPi(<('i*^) < i’Pi(^ 2 ^) < ••• < vp^{(j)^^). (In case 
of the Hermitian code, we can have vp^{4>l^'^) = k— 1, l<k< K' , for 
some integer K' < K, because Pi, 1 < i < N , are nonsingular.) Let (pi = 
CjfcVfc \ 1 < l,k < K, where the K x K matrix [c;(,^j gives the trans- 
formation from the basis {(pi, - ■ ■ ,<Pk} to the basis {(pi\---,(p^^}. Then, a 
function Q{x,y,z) = Q{P,z) = J2j=pJ2k=iQjk4>kZ^ {Qjk G F^) can be writ- 
ten in the form J2'j=oYlk=i1jk4’k^ ’ where gj)] = J2f=iQji4k- ^ function 
Q{P, z) = J2i'=o (Qi S ^ 9 ) which is written also as J2'j=o Ylk=i is 

said to have a zero of multiplicity > s at = {Pi, Wi) = (oj, f3i, Wi) if and only 
if the condition holds 

djk - <llk Q =0,J + k<s, (1) 
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where we remark that Q{P,z + Wi) = ^ ■= -^(^ 2 ^)’ 

the conditions (1) for all the 3D points Pi = {Pi,Wi), 1 < i < N, imply a 
homogeneous system of L linear equations for the L -I- 1 unknown coefficients 
Qi, 0 < I < L. Therefore, there exists a function Q{P,z) G 
having a zero of multiplicity at every point Pi, 1 < i < N, which is the desired 
interpolation function in the first stage of GS list decoding of a Hermitian code. 
In Hpholdt-Nielsen’s description of GS algorithm based on an analysis of Sudan 
algorithm by Feng and Blahut [16], given a positive integer s, the integers Ts,ts 
are determined as follows: 

(’2")^ - (r^ - 1)5 < T < ("‘2^)771 - rsg, 
tsTs - g{ts) < L - ((’'2 - {t's - 1 ) 5 ) < (G + l)rs - g(G + 1), (2) 

where the function g{t) is defined as g{t) := t — dim{C{tPao)) + 1- Thus we 
have the following implementation [15] of GS algorithm to find an interpolation 
function Q{P, z) with p{Q) < {r.s — l)m + ts and finally all the codewords c such 
that d{c, w) < Tg := N — where the number of codewords cGC 

with d{c,w) < Ts is less than 

(i) Gonstruct an increasing zero basis for each I, 1 < I < N; 

(ii) Find the interpolation function Q{P,z) G R\z] which has a zero of 
multiplicity at least s at all points (Pi,Wi), 1 < i < N, and whose order is 
p{Q) < {fs — 1)to -I- ts, i.e. solve the system of linear equations (1); 

(iii) Find factors z — f\Q over the function field 'Fq{X) or the ring R\z\. 

Since the complexity 0{L^) = 0{N^s^) of the Gaussian elimination (ii) is 
large in the general case (s > 2), we need a fast interpolation method instead. 

3 Fast Interpolation for Sudan and GS List Decoding 

Before treating fast interpolation for the more general GS algorithm, we mention 
that for Sudan algorithm. 

3.1 Fast Interpolation for Sudan List Decoding 

In case of multiplicity s = 1, i.e. for Sudan algorithm, we can have a fast inter- 
polation method by using the BMS algorithm [13], based on the following fact. 



Lemma 1 For Pi = {ai, (3i,wi), 1 < I < N, the sets := {F = F{x,y,z) G 
R[z]\F{ai, = 0}, 1 < ^ < IV, and I := are ideals in R[z]. 

A function F = F{x,y, z)gR[z] can be written in the form F = FpXtt, 

with Supp(F) C S, where Fp G Fg, := x^y^z^ for p = {i,j, k) G X. Now, for 
N 3D arrays = (u-^) having the components Up^ := aySfwf, p = (i,j,k) G 
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S, determined from Pi = (ai, f3i,wi), 1 <l < N,we introduce another 3D array 
u = (up) over as their sum, i.e. up := '^p '^ ■ Then, we have the lemma 

which implies that we can apply the 3D BMS algorithm [13] to the array u 
to find a Grobner basis of the ideal I, which contains the desired interpolation 
polynomial Q as its element. 

Lemma 2 F G I if and only if the following linear recurrence holds for the 
given array u: 

^ FqUq+p = 0, € S. (3) 

5eSupp(F) 

The BMS algorithm is an iterative algorithm to find a minimal set of poly- 
nomials F = X)peSupp(F) satisfying the identity (3) up to a certain 

point p, which becomes a Grobner basis of the ideal I{u) finally after a finite 
number of iterations of checking components of arrays and updating F at each 
point p successively (w.r.t. some appropriate total order over E), where the ideal 
I{u) is defined as the set of all polynomials F satisfying (3) for the array u {I{u) 
is called the characteristic ideal of u, and on the other hand an array u such that 
I{u) = I for a given ideal / is called a representative array of / if it exsits [17]). 

For the first nonzero pole order v := 02 , which is equal to qi in case of Her- 
mitian codes, the cardinality p, := ffF of a minimal polynomial set F during 

the process of the BMS algorithm [13] is equal to riF, where 0{ri) = 
by (2). Gonsequently, the computational complexity of the above method is 
0 (piV 2 ) = 0{vNiK~^), which is 0{m) in case of Hermitian codes with 
0{K) = 0{N), particularly K ~ cN for c < |. This complexity is the same as 
that of Olshevsky and Shokrollahi’s method [6] and less than 0{N^) for Gaussian 
elimination. 

The left-hand side of the equation (3) is a component vp of a 3D array v = 
(vp), p G E, provided that the array up is defined over the set 2E := {p + q\p, q G 
E}, where the array v is denoted as v := F o u. Then, the linear recurrence (3) 
can be written Fou = 0, where the right-hand side 0 means the zero array whose 
components are all zero. For later use, we remember the following definition and 
the fact from [17]. A set of arrays is called a set of representative 

arrays of an ideal I G R\z] if and only if I coincides with the characteristic ideal of 
these arrays defined as I{u^^\- ■ ■ , := {F G R[z]\F o wb) = 0, l<t<M}. 

Given a set of arrays u^^\ - ■ ■ ,u^’^\ by using a modification [11] of the BMS 
algorithm for multiple arrays, we can find efficiently a minimal set of polynomials 
F satisfying the identities F o 16 ^) = 0 in the form of (3) for the arrays ub), 
1 < i < M, which is a Grobner of the ideal I{u^^\ ■ ■ ■ , u^’^'>). 



3.2 Fast Interpolation for GS List Decoding 

Now we extend the valuation vp^{f), 1 < I < N, of f G R a,t Pi G P to that of 
any function F G R[z] at Pi = (Pi,wi) by Vp^{f{z-wi)’^) := vp,{f) + k for f G R. 
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Thus, for F = Y,kfk{z - wi)^ with fk G R, we define {J2k h{z - wi)^)) := 
miukiv p^{fk{z — w;)^)} = mmk{vpj{fk) + k}. Then, we must find a function 
F G R[z\ such that deg(i^) is minimum w.r.t. the total order over S and 
Vp^{F) > si{= s), 1 < I < N. Immediately we have the following observations. 

(1) For each couple of P;, 1 < I < N, and j G Zq, the set := {F G 

F[z]\vp^{F) > j} is an ideal; 

(2) The required interpolation function Q is an element of a Grobner basis 
of the ideal /(s) = 

If we can have some efficient method to obtain a Grobner basis of an inter- 
section of ideals, we do not need to find all the elements of an increasing zero 
basis at each point Pi, and neither need to solve a large system of linear equa- 
tions by Gaussian elimination. The method of obtaining a Grobner basis of an 
intersection of two ideals Ii,l 2 C F[xi, X 2 , • • • , by the well-known formula 
/i n /2 = {tfi + {l — t)gj\fi G h,gj G 12 ) n F[a;i, a: 2 , • • • , a;„] is not so efficient for 
our purpose. Before discussing how to find the Grobner bases of ideals P''\s), 
I < I < N , and I{s) in R[z], we treat ideals / C P in 3.2.1, and then consider 
ideals I C R[z] in 3.2.2. Finally, we give a fast algorithm of finding a Grobner 
basis of the intersection ideal I{s) in 3.2.3. 

3.2.1 Grobner Basis of 2D Ideals 

First, for p = (t, j) G S and Pi, I < I < N, we define the zero order of p 

at P := Pi, as op{p) := max{up(/)|/ G R, deg(/) = p}, which is denoted as 

o{p) simply. Arranging the elements of S w.r.t. the total order <t, we have 
S = • • •}, where p^F = (0,0) <t <t •••• Let G P be such 

that deg(/^*^) = and vp(/D) = o(pL)), i = 1,2,---. Then, we have a 

couple of mutually corresponding series Op := {o{p^^^) , o{p^‘^^) , ■ ■ ■} C Zq and 
Fp := {f^^\ ■ ■} C P. Let <p be the ordinary partial order over the 2D 

set Zq. Then, it is easy to see that if p <p q, o{p) < o{q), and that Ip{j) := 
{/ G P|vp(/) > j} is an ideal in P. A subset S' C P is said to be outward 
(respectively, inward) stable (w.r.t. <p) if and only if the condition is satisfied: 
If p G S, (7 G S, p <p (respectively, >p) q, then g G S. We take the subset 
Fp{j) '■= {p G A'|o(p) > j} of E, and its complement zlp{j) := E \ Ep{j). 
These subsets have the following properties w.r.t. the partial order <p over Zq, 
i.e. the subset Ep{j) is outward stable, and ^p{j) is inward stable. This leads 
us to introduce the subset S'p(j) := minp i7p(j) of Ep{j), which is the set of 
all minimal (w.r.t. the partial order <p) points p G Ep(j), accompanied with 
the subset Fp{j) := {/ G Fp|deg(/) G -S'p(j)} of P. Gonsequently, we have a 
conclusion about ideals Ip{j) in P. 

Theorem 1 Fp{j) is a Grobner basis of Ip{j). 

From the above considerations we have the algorithm of finding Op, Fp itera- 
tively (w.r.t. <t) for each P = (C, rj) and a fixed integer s. Below let X := x — (, 
Y :=y-ri. 
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Algorithm 1 Step 1: j := 1; Fp := {1}; Op := {0}; 

Step 2: p := — (1,0) ("or (0, 1 ) ); 

f e Fp such that deg(/) = p; f := Xf (or Yf); 
ifvp(f') € Op then 

by using the procedure mentioned in the proof of Theorem 1 of [15], 
construct g € R from f and some h G Fp with vp{h) = vp(f') 
such that vp{g) ^ Op and vp{g) is minimum; 

Fp := Fp U {g}; Op := Op U {vp{g)}; 
else Fp := Fp U {/'}; Op := Op U {vp{f')}; 

Step 3: j := j + 1; if j < s then go to Step 2 else stop. 

In the above procedure of [15], the coefficients of the initial terms of Laurent 
expansions of functions w.r.t. a local parameter t must be calculated. They can be 
obtained by the following ordinary method in case of Hermitian codes over fields 
with characteristic 2, i.e. qi =2'^ ,q = 2^'^. For P = {(,ri); X = x — f,Y = y — rj, 
we can rewrite the curve-defining equation as F -I- Y^^ = aX + bX^^ + 
where a := ,b := from which it follows that, in the power expansion 

Y = the coefficients satisfy the equalities: ci = a, Cq^ + c\^ = b, 

= 1, Cqj^j + = bSji- Therefore, Cj = 0 except for ci = a, = 1, 

j > 1, and consequently we have Y = aX -|- _l_X‘?d 9i+i) _|_ ^91(91+1) 

It is easy to get the expansions of F^, F^, • • •, and in general those of F*, i G Zq. 
We show a simple example of computation by Algorithm 1. 

Example 1 Let qi = 2, q = 2^ = A. Then, we have an elliptic curve (g = IJ as 
a special case: X : + y^ + y = 0 over the field F4 = F2[a]/(a^ 1). At the 

infinity point Poo, o(x) = 2, o(y) = 3, and £(ooPoo) = {Py^fl i,Q Si j Si !)• 

For example, we take P = (l,a^), and let X := x — 1, Y := y — . Then, 

Y + Y'^ = X + X"^ + X^, and thus Y = X + X^ + X^ + X^^ + ■ ■ ■. By applying 
Algorithm 1 we have the following tables, in which pole orders op numbers I 
implying the total order <t, functions fAl g Fp, and valuations o{p^''^) G Op 
for p^A = (i,j) are shown respectively as the {i, j)- elements of each (partial) 2D 
array. 

Pole orders oi (1) Functions Fp (Valuations Op) 



A J 


0 1 


2 




i\i 


0 


1 


2 


0 


0(1) 3(3) 


6(6) 




0 


1(0) 


F-k A(3) 




1 


2(2) 5(5) 


8 (8) 




1 


A(l) 


A(F-k A)(4) 




2 


4(4) 7(7) 






2 


X\2) 


A2(F + A)(5) 




3 


6(6) 9(9) 






3 


X^ + Y + A(6) (A3 -k 1)F -k A^ -k A3 -k A(9) 




4 


8 (8) 






4 


A^-k AF-k A^(7) 






From 


the table. 


, we 


have 


e.g. a Grobner basis 


expression of the ideal 7(4) 


= 



{X^ + Y + X, XY + X^,Y^ + X^). 

The computational complexity of Algorithm 1 is 0{s^N). As an alternative, 
we have another algorithm to find a Grobner basis of Ip{j) based on the formula 
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Ip{j + 1) = Ip{j)Ip + Ix , which is derived from Proposition 11 mentioned by 
Matsumoto [8]. Its complexity is 0{i's‘^N). 

3.2.2 Grdbner Bases of 3D Ideals 

Now, as a result of the discussions about ideals / in i? in 3.2.1, we are ready to 
treat ideals in R[z\. Similar to the zero order of a 2D point p = {i,j) G S, we 
define the zero order of a 3D point p = (i,j,k) £ S a,t P = Pi = (a,(3,w) as 
dp{p) := max{wp(/)|deg(/) = p}, which is denoted as 5{p) simply. Arranging 
the elements of E w.r.t. the total order <.p over E, we have E = {p^^\p^‘^\ ■ ■ •}, 
where p^^^ = (0,0,0) <p • • •. Let be such that deg(/^*^) = and 

i G Zq. Then, we have a couple of mutually corresponding 
series Op := {5{p^^^) , 5{p^'^^) , ■ • •} C Zq and Fp := ■ •} C R[z]. Again 

we have a set of concepts for ideals in R\z] similar to those for ideals in R. Thus, 
we have that if p <p q (w.r.t. the partial order < p over E), 5{p) < d{q), and that 
the subset Ip{j) := {/ G R[z]\vp{f) > j} is an ideal. A subset S' C if is said to 
be outward (respectively, inward) stable (w.r.t. <p) if and only if the condition 
is satisfied: If p £ S, q £ E, p <p (respectively, >p)q then q £ E. Let Ep{j) := 
{p £ E\b{p) > j}, and ^p{j) := E \ Ep{j). Then, Ep{j) is outward stable, 
and Ap{j) is inward stable. Taking a subset Sp{j) := minpA'p(j) composed of 
elements p G Ep(j) which are minimal w.r.t. <p and the corresponding subset 
Fp{j) := {/ G Sp|deg(/) G Sp{j)}, we have a conclusion about ideals Ip{j) in 
R[z]. 

Theorem 2 Fp{j) is a Grdbner basis ofIp{j), and Fp{s) C Uf^g(z— w)®T'p(s— 
i). 

Example 2 As in the previous example, for X = x — (),Y = y — r],Z = z — w, 
ip{4) = {X^+Y+X, XY+X"^, Y^+X^, X'^Z'^, {Y+X)Z, XZ^, Z^) is a Grdbner 
basis expression of the ideal /p(4) in view of the above-mentioned Grdbner basis 
o//p(4). 



3.2.3 Fast Interpolation Method for GS List Decoding 

From a Grobner basis := Fp^{s) of the ideal P^\s) := Ip^{s), we can 

get a set of ps representative 3D arrays such that I^^\s) = 

■ J for each I, I < I < N, where we remember that the 

definition of representative arrays of an ideal is as written in 3.1. Since /(s) = 
, we can find a Grobner basis of I{s) by applying the BMS algorithm 
[11] for multiple arrays iteratively as follows, where we can start the BMS al- 
gorithm with the Grobner basis F of the z-th intersection ideal I = 
obtained in the z-th stage of the following algorithm and update F at each iter- 
ation in Step 2 of the (z -I- l)-th stage until all the relevant parts of the arrays 
have been checked and finally the Grobner basis of / fl is obtained. 




180 



S. Sakata 



Algorithm 2 Step 1: F := (I := ); i := 1; 

Step 2: Apply the BMS algorithm to the multiple arrays • • • , 

Iq update F so that F becomes a Grobner basis of I := I 
at the final iteration; 

Step 3: i -.= i + 1; if i < N then go to Step 2 else stop. 

The computational complexity of Algorithm 2 can be estimated roughly as fol- 
lows. Each ideal has i^s representative arrays, and its Grobner basis has 

the delta set of size ffA^‘^'>{s) = which is equal to the size of each 

element of On the other hand, the size of the delta set for a Grobner 

basis of the i-th intersection can be estimated as is^, which is not 

less than the size of each element of F, where E is a set of minimal polynomi- 
als of a set of partial arrays during the process of Algorithm 2. The number of 
elements of F is not greater than which is 0{sN^ K~^) since 0{mr1) = 
0{Ns‘^) by (2) and 0{m) = 0{K). Therefore, in Step 2 for each i, we need 
to update rgn polynomials of size is^ by s^ iterations for the i/s partial arrays 
.^S+ 1 , 1 ) ^ y^(^+l, 2 ) ^ • • • , each of size (i-l-l)s^— = s^. Thus, the total com- 
plexity of Algorithm 2 is roughly ^ x x i/s) = 0(iy^s^Ni K~^), 

which is an overestimation because only a few elements of the current minimal 
polynomial set F must be checked and updated probably at each of lys itera- 
tions of Step 2 for every i. For Hermitian codes the complexity is 0{s^N~e 
which is 0{s^N3) and less than the complexity 0{s^N^) of the Gaussian elim- 
ination in case of A ~ cN for 0 < c < 1. (Remark: Olshevsky and Shokrollahi 
[6] give neither a method of fast interpolation for GS list decoding of one-point 
AG codes nor its complexity explicitly.) 

4 Concluding Remark 

The computational complexity of our fast interpolation method for GS list de- 
coding of one-point AG codes is OfiPs^N^K~^), which is not reduced to the 
complexity 0{vN^ K~^) of the fast interpolation in case of Sudan list decoding 
(s = 1) because the method for GS list decoding has a different form in applying 
the BMS algorithm for multiple arrays. 
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Abstract. The aim of this paper is to present an exhaustive algebraic 
study of a new class of curves, the so-called Quasihermitian curves (that 
includes the Hermitian curves), computing its genus. These curves al- 
low to construct good algebraic geometric Goppa codes since they are 
absolutely irreducible plane curves with many rational points on F^. 

1 Introduction 

Let AT be a finite field of characteristic 2, AT = Fg where q = 2K 

For any a,b gZ, being a>2,b> —a, /3i, /?2 G K — {0} , we consider the fol- 
lowing curves {Quasihermitian curves) defined over K given by the homogeneus 
equation 

-b -b = 0 

if & > 0 and if 6 < 0 

-b -b /?2 a:“+''z-'' = 0. 

So, this class of curves is defined by the affine equation 
2/“ + /3iy + /32x“+'’ = 0. 

Quasihermitian curves include some types of curves with many rational points. 
If j = 2 jo we have the Hermitian curves [8], which have by equation 

and the maximal curves obtained from the affine equation + y = where 
m is a divisor of -b 1), see [3]. 

Curves with many rational points are interesting in Coding theory. In partic- 
ular, Goppa geometric codes obtained from Hermitian curves have been exten- 
sively studied [8] [9] . The special arithmetic properties for the F^-rational points 
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of Hermitian curves have allowed to calculate the true minimun distance of such 
codes. 

We begin here a systematic study of properties of Quasihermitian curves and 
of the Goppa codes obtained from them. In particular, we compute its genus. 

We find among these Quasihermitian curves many new maximal curves (see 
Section 6), i.e. for the non-singular models of these curves the number of F^- 
rational points attains the Hasse-Weil upper bound q+l+2g^. So, for example, 

+ Y -I- = 0 is a maximal curve over F 210 and Y'^ + YZ^ + X^Z = 0 

is a maximal curve over F 26 . 



2 Some Previous Definitions and Results 

Let C\ and C 2 be curves (absolutely irreducible projective varieties of dimension 
1) defined over K. We shall denote by g{C\) and (/(C' 2 ), the genus of C\ and C 2 , 
respectively, and by K{Ci) and K{C 2 ) the respective function fields. 

Definition 1. A non-constant rational map (j> : C\ ^ C 2 is said to be purely 
inseparable, if K{C\) is a purely inseparable algebraic extension of 4>* {K {C 2 }) , 
where (j>* is defined by 

r : K{C2) ^ K(Ci) 

/ ^ f of' 

Proposition 1. (See [5] p.302, and [8] p.l27) If K{Ci) is a purely inseparable 
algebraic extension of f* {K {C 2 )) , then g{C\) = g{C 2 )- 

We recall the genus formula of a curve C obtained from the sequence of 
multiplicities at its infinitely near singular points. The blowing-up at one point 
process will be also called quadratic transformation (QDT) at such point. 

Proposition 2. (See [1] p.14-8, [2] p.7, [4] P-124, and [5] p.l26) Assume that C 
is an absolutely irreducible algebraic plane curve of degree h. Let Pi,P 2 , ...jPn be 
all the singular points ofC, rn,ri 2 , ■■■,rim (f = 1, the multiplicity sequence 

with respect to blowing-up with center Pi . Then the genus of C is 

where, Vi = l,...,iV, S{Pi) = 

3 Quasihermitian Curves 

Definition 2. A Quasihermitian curve is the absolutely irreducible projective 
variety over K given, for any a,b G Z, a > 2, b > —a, by the homogeneus 
equation 



Y‘^Z^ -h -h /?2^“+'’ = 0 
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ifb>0 or 

= 0 , 

if b < 0, where /3i, /?2 G K — {0} . 



Proposition 3. For any a, 6 G Z, a > 2 and b > —a, the affine curves C and 
Cl with equations, respectively, y°“ + y + = 0 and j/“ + Piyi + j32xf^^ = 0, 

are isomorphic over K. 

Proof. The rational map A^, (x,y) !->■ (Sx,ey), with S and e G K 

such that 5“+^ = ^ and = /3i, is an isomorphism. The restricted map 
verifies {(l>\C){x,y) = (xi,yi) G C\ because 

+ Piey + = e“(y“ + y + x“+*') = 0. 

Corollary 1. (See Proposition 1) The curves C and C\ have the same genus. 

Proposition 3 and Corollary 1 suggest the following definition. 

Definition 3. For any a > 2 and b > 0, we denote by Ca,a+b the absolutely 
irreducible projective curve over K given by the homogeneus equation 



yazb y^a+6-l j^a+b ^ q 



4 Singular Points of Ca,a+b 

li P = {x, y, z) G Ca^a+b IS singular, then 

{ yazb yz^+b-1 ^a+b ^ Q 

(a + 5)a;“+^-^ = 0 

= 0 

+ {a + b- l ) yz “+'’-2 = 0 

We have the following cases, where if a is even, then we write a = 2 '~vq (with 
To odd), and if a is odd, then we write a — 1 = 2 ®sq (with sq odd), see Table 1. 

5 Genus 

Consider 6 > 0, we write a + b = 2”&o, with bo odd, and V n' > 0, m = 
2” 6 q. If m > a, we are going to consider the curve Ca,m (so, the notation Ca,m 
indicates that m > a), and if m < a, the curve Da,m defined by the equation 
y“ + YZ°'~^ + x'^Z°'~'^ = 0. We shall prove that there is a purely inseparable 
rational map between Ca^a+b and Ca^m, and between Ca,a+b and Da^m- We begin 
with the following result. 
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Table 1. Sing(Ca,a+6):=SINGULAR POINTS ot Ca,a+b 



a = 2 and b = 0 


There are none 


a is EVEN, a yf 2 and b = 0 


(r,l,0) /r’-« = 1 


a is EVEN and b = 1 


There are none 


a is EVEN and b yf 0, 1 


(0,1,0) 


a is ODD and b = 0, 1 


(0,a,l) = 1 


a is ODD and b yf 0, 1 


(0,1,0),(0,<7,1) /a"o = 1 



Lemma 1. We consider the ajfine curve Cq : Xq + + fo{xo,yo) = O 7 where 

u,v & n,u > V > 2 and fo{xo,yo) = J2r,s:us+vr>uv ^oVo f, s G N and 
a = gcd(u,v) odd. Then for the singular point of Cq, Pq = (0,0), we have 
6{Po) = 

Proof. We write u = n\v + ri, with 0 < ri < u — 1 and we distinguish the next 
cases. 

(i) If ri = 0 then a = v and applying (rii — 1) quadratic transformations {QDTs) 
given by Xi = yi = Xi+ij/i+i, we obtain the curve 

Cni — 1 • + /ni — l(a^rai— 1, t/m— 1) = 0 

where = Er.s 

We note that Vf = — 1, Cp. xf~™ + yf + fi{xi,yi) = 0, where 

fi{xi,yi) = J2r,s (r + IS - iv)v + {u - iv)s > {u - iv)v. 

Hence we get, from Cm-i, the nonsingular curve of Cq, Cq. In conclusion 
we have, by blowing-up, a singularity tree with n\ points of multiplicity v 
plus V smooth points on Cq, so S{Pq) = This result coincides with 

the Lemma when v = a. 

(ii) If ri yf 0, then 3ri2,r2 G N such that v = n 2 r\ + V 2 . We distinguish again 
two cases. 



(ii.l) If V 2 = 0, then a = ri. After (ni — I) QDTs we have the curve 
C'n^_i: + fm-li.Xm-l,yni-l) = 0 . 

We note that Vi = I, ...,ni — 1, C[ : _|_ f-(^Xi,yi) = 0, where 

fi{xi,y^) = J2r,s with ((m - i)v + ri)s + {r + is- iv)v > ((m - 

i)v + ri)v. 

The QDT given by = Xm, yni-i = Xmyni, transforms the curve 

into the curve -f y^^ + f^ (x ^^ , 2/«i ) = 0. We are in the case 

(i), where C'„_^ is like Cq and v = n 2 r\. So we have a singularity tree with 
ni points o£ multiplicity v, plus ri 2 points of multiplicity a, plus a smooth 
points on Cq. Then 



m) 



n\v{v — 1) -I- n 20 i{a — 1) 



{u — l)(v — 1) -I- a — 1 



2 



2 
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(ii.2) If T 2 ^ 0, then 3 g N / ri = nsr 2 + r^. In the case rs = 



ni 



«2 



0, we have V 2 = a, and the sequence of multiplicities is: v,...,v, ri,...,ri 

"3 

a, .... a 






Then S{Po) = ”i"(^~l)+"2»~l(j'l-l)+"3a(-l) _ vu-u-v+a _ 

(M-i)(ti-i)+a-i ^ applying a finite number of cases, we get ri G N* such 

that Ti = a (i.e., rj+i = 0). Then r^-i = rii+iri. Therefore the sequence of 
multiplicities is 



rii U2 U4 nij^i ^ ^ ^ 



hence 6{Po) = ^ 



We write, Va > 2, 5 > 0, a + 5 = 2”6 q with n > 0, 6 q > 1 and bo odd, and 
Vn' > 0, m = 2” 6 q. We consider the following curves 

-If m>a, Ca,m ■■ + YZ^~^ + X™ = 0 

-If m<a : F“ + rZ“-i + = 0 

Remark 1. There is a purely inseparable map (j> between the curves Ca,a+b and 
Ca,m, and also between Ca,a+b and Da^m, with degree 2”“” if n > n' or 2” 
if n' > n. 

Remark 2. (See Proposition 1) The curves Ca^a+b^ Ca^m and Ha,m have the same 
genus. 

We are going to determine of genus of Ca^a+b {b > 0) and hence, we compute 
of genus of the curves defined by affine equation 

y°‘ + y + = 0, Va > 2, V6 > —a. 

Theorem 1. For any a, & G N, a > 2, 6 > 0 we have 

9\^a,a-\-b) — 2 ^0 

where a -\- h = n > 0 and bo > 1 odd; a — 1 = 2'^sq with 5 > 0 and 

So > 1 odd and a = gcd(a, bo), a = 2ao + 1- 

Proof. We consider the seven following cases (see Table 1). 

(A) If a = 2 and 6 = 0, then 6 q = 1, Sq = 1, and Oq = 0- In this case there are 
no singular points, so g{C 2 , 2 ) = 0, i.e, (/(C' 2 , 2 ) = — oo = 0. 
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(B) If a is even, a ^ 2 and & = 0 then a = 2"6q (he., = tq), sq = a — 1, 

a = gcd(o, 6o) = bo and Sing(C'o,a)= {(t, 1, 0)/r’'“ = 1}. We consider the 
affine curve 1 + 2 ;““^ + a;“ = 0. After a translation x = xi + t, z = z\, we 
may assume that it pass through the origin ( 0 , 0 ), so 

1 + + (xi + r)“ = 0 1 + + (xf + = 0 

+ p{xi) = 0, with dp{xi) > 2” + 1. 

We have that gcd(a— 1, 2”) = 1, and by Lemma 1 6 ((r, 1, 0)) = - 1 ) ^ 

Hence g(Ca,a) = (^-^hbo-i)-(bo-i) ^ ^o(bo-i) _ 

(C) If a is even and 6=1 then a + 1 = 60 , Sq = a — 1, and Oq = 0- There are 

no singular points, and g{Ca,a+i) = g{Ca,a+i) = “ “o- 

(D) If a is even, 6 yf 0, 6 yf 1, then Ca,a+b has only one singular point, namely 
(0, 1,0). We distinguish two cases: 6 q > a or 60 < a. 

(D.l) If bo > a, we consider the curve Ca bo, with 6 q — a > 1. 

(D.1.1) If 60 — a = 1, we are in the case (C) and then g{Ca,a+b) = 
g{Ca,a+i) = have a + 1 = 60 , a — 1 = sq and a = gcd(a, bo) = 1 , 

then g(Ca,a+b) = “ ^o- 

(D.l. 2) If 60 — a > 1, then Sing(Ca,a+&)= {(0, 1,0)}. For the affine curve 
^bo-a _|_ ^bo -1 _|_ ^bo — Q have by Lemma 1 



where a = gcd(a, bo). Then 

g(Ca,a+b) = - oo = - ao. 

(D.2) If 60 < a, we consider the curve Da, bo, + YZ°'~^ + = 0. 

Its singular points have to satisfy the relations 

{ ^b„-l^a-bo ^ 0 

= 0 

= 0 

ya y^a -1 ^bo ^^-bo ^ Q 

(D.2.1) If a — 60 = 1, then there are no singular points, a — 1 = 60 = sq, 
a = gcd(a, bo) = 1 and 



g{Ca,a+b) — g{,Da,bo) — 



(a-l)(a-2) so(6o - 1) 



— ao 



(D.2.2) If a — 60 > 1, the only singular point is (1,0,0), and we consider 
the affine curve: j/“ + yz°‘~^ + = 0 and a = gcd(a, a — bo) is odd, so we 

have by Lemma 1 6((1, 0, 0)) = (°~i)(°~^^o-i)+a-i ^ 



g{C^a,a+b) g{Da,bo) 



(a - l)(6o - 1) + a - 1 so(6o - 1) 



ao- 
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(E) If a is odd, 6=0, then a = bo, bo = 2^so + 1, a = bo and Sing(Co,o)= 
{(0, (J, 1) /(J^“ = 1} . We consider the affine curve + y + = 0, which we 

do to pass by (0, 0) doing x = xi, y = + ct, so 

(m + + (t/1 + (j) + = 0 <G> 

<G> (yf + cr^ +cr) + (yi + ct) + X? = 0 

<G> cc“ + +p(i/i) = 0, with dp{yi) >2^ + 1. 

Since gcd(a, 2^*) = 1 and Lemma 1 <5((0, a, 1)) = ~i) ^ Hence 

^ _ (a - l)(so - 1) _ (so - l)(&o - 1) _ so(6o - 1) 

9 \^a,a) — ^ — r, “ r, Q! 0 - 



(F) If a is odd, and 6=1, then o + 1 = 2”6 q. We distinguish the two possible 
cases. 

(F.l) If bo > a, we consider the curve Ca,boj + YZ^°~^ + = 0. 

As 6 q — a > 2, then Sing(C'a,bo)= {(0, 1,0), (0 ,(j, 1)/<j®“ = 1} . We have the 
affine curve = 0, with gcd(6o — a, bo) = a which is odd, 

and then by Lemma 1 

S((0,1,0)) = + 

If we now consider the affine curve + y + = 0, and we do x = cci, 

y = yi + a, we obtain 

(Pi + + (yi + a) + = 0 

<G> (yf + + cr) + (yi + a) + = 0 <G> 

<G> x^° + + p(yi) = 0, with dp(yi) > 2® + 1. 

As gcd(6o, 2®) = 1, by Lemma 1 6((0, cr, 1)) = So 

^ (6o - l)(a - 1 - 2®so + So) so(6o - 1) 

g(h'a,a+l) — 2 <a 0 — 2 

(F.2) Si bo < a, we consider the curve Da, to, + YZ°-~^ + X^° Z°-~^° = 0. 
Its singular points have to verify 



( X^o-lZ‘^-bo = 0 
J ya-1 ^a-1 ^ Q 

[ = 0 

Then, if 6 q = 1, the only singular point is (1,0,0); and if 6 q yf 1, the singular 
points are: {(1, 0, 0), (0, cr, l)/cr®o = 1} . We distinguish again two cases. 
(F.2.1) If 6o = 1, we consider the affine curve y“ + yz°'~^ + z°'~^ = 0, as 
gcd(a, a — 1) = 1, by Lemma 1 6((1, 0, 0)) = ^ 

So, g{Ca,a+i) = 0 = - ao. 
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(F.2.2) If bo 1, we consider the afinne curve ^ = 0, and 

gcd(a, a — bo) = a, then 



m.o.on = 



If we consider the affine curve y“ + y+a;^° = 0, we have x = xi, y = yi + a, so 
we obtain (case (F.l)), x^° +p(yi) = 0, with dp{yi) > 2® + I 
then 



<5((0,cr,I)) 



(6o-I)(2^-I) 

2 



Hence 

^ ^ _ (a — I)(6o — 1) — so(^o ~ 1)(2^ — 1) _ so(^o ~ 1) 

ff(Co,a+l) — ^ «o — 



(G) If a is odd, b ^ 0 and 6 I. We distinguish the cases: bo = a, bo > a and 
bo < a. 

(G.l) If bo = a, we consider the curve Ca,a, which has been already studied 

in (E). 

(G.2) If bo > a, we have the curve Ca,bo^ + Y Z^°~^ + X^° = 0, 

and Sing(Ga,ho)= {(0, 1,0), (0 ,(j, I)/<t®“ = 1} . We consider the affine curve 
^bo-a _|_ _j.6o-i _|_ ^bo _ gcd(6o — Cl, bo) = « is odd, and by Lemma I, we 
have 

^(( 0 , 1 , 0 )) = (bo-a-l)(bo-l)+‘^-\ 

For the affine curve + y + = 0, we do a; = Xi, y = yi + cr, so we have 

the affine curve: (yi + ct)“ + (yi + a) + = 0, which was studied in (F.l), 

and we know that 



5((0,cr, I)) 



(6o-I)(2^-I) 

2 



Hence g{Ca,a+b) = g{Ca,bo) = “ “o- 

(G.3) If bo < a, we consider the curve -Da,bo) + x^°Z°-~^° = 0. 

Its singular points have to verify 

{ ^bo-lza-bo = 0 

ya-1 ^a-1 ^ Q 

+ = 0 

F“ + = 0 

(G.3.1) If bo = 1, the only singular point is (1,0,0). We consider the affine 
curve y“ + yz°'~^ + = 0. By Lemma 1 

(a — l)(a — 2) 



5((1,0,0)) 



2 
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SO, g{Ca,a+b) = g{Da,l) = ^2“ ^ = 

gcd(a, 60) = 1, then «o = 0, and g{Ca,a+b) = - ao = 0. 



(G.3.2) If 6o > 1 then Sing(Z?a,bo)= {(1, 0, 0), (0, ct, 1)/ct®“ = 1}. We consider 
for the point (1,0,0) the affine curve + yz°‘~^ + = 0 where a = 

gcd(a, a — bo) is odd. Then, by Lemma 1 



m.o.on = 

For the points (0, cr, 1), we consider the affine curve j/“ + y + = 0, and we 

do a; = xi and y = yi + cr. Then, we have the affine curve (j/i + cr)“ + (j/i + 
cr) + =0. We are in the case (F.l) and 



5((0,cr,l)) 



(6o-l)(2^-l) 

2 



Then g(Ca,a+b) = g{Da,bo) = - oo- 

Corollary 2. For any a,b £ Z, a > 2, b > —a, a+b = 2”&o, ifC is the curve the 
equation Y'^Z^ + YZ‘^+^-^+X'^+^ = 0, withb> 0, or F“ + yZ“-i+X“+''Z-^ = 
0, with b < 0, then its genus is 

so(6o-l) 

9(C) = 2 ° 

where a + b = 2"6q with n > 0 and 6q > 1 odd; a — 1 = 2®sq with s > 0 and 
So > 1 odd and a = gcd(a, bo), a = 2ao + 1- 



6 Examples of Maximal Curves 

Let g(C) be the genus of C and let N{C{¥q)) be the number of Fq-rational 
points of C (i.e., for the non-singular model of C). We present, for example, the 
following maximal Quasihermitian curves. 



C2,5 : Y^Z^ + YZ^ + X^ = 0 3(^2, 5) = 2, 

C 2.11 : Y^Z^ + YZ^° + = 0 g(C2.ii) = 5, 

C2.13 : = 0 g(C2.i3) = 6, 

C3.5 : + yZ^ + X^ = 0 g{C\o) = 2, 

£>4,3 : -b YZ^ + X^Z = 0 <?(£»4.3) = 3, 



^^(C'2.5(F24)) = 33 
A^(C2.ii(F2io)) = 1,345 
A^(C2 .i 3(F212)) = 4,865 
fV(C3.5(F24)) = 33 
iV(C4.3(F2e)) = 113 
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and considering that if a + b = 2”6q, with > 1 odd, n > 0, then there is 
a purely inseparable rational map </> between the curves Ca,a+b and Cq 2'‘&o’ 
with 2^bo > a, and between the curves Ca,a+b and 2^ bo < a (see 

Remark 1), we can give other maximal curves from each one of the above curves. 
For example, with the same genus and the same number of rational points over 
F 24 (therefore maximal curves) we have, from (72,5, the curves: (72, 10 , (72,20 and 
( 72 , 40 - 
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Abstract. In this paper we present an extension of a result in [2] about 
a discrepancy bound for sequences of s-tuples of successive nonlinear 
multiple recursive congruential pseudorandom numbers of higher orders. 
The key of this note is based on linear properties of the iterations of 
multivariate polynomials. 



1 Introduction 

The paper [2] studies the distribution of pseudorandom number generators de- 
fined by a recurrence congruence modulo a prime p of the form 

Un +1 = f{Un,-..,Un-m+l) (modp), 71 = m - 1, m, . . . , (1) 

with some initial values uq, . . . ,Um-i, where f{Xi,...,Xm) is a polynomial 
of m variables over the field IFj, of p elements. These nonlinear congruential 
generators provide a very attractive alternative to linear congruential generators 
and, especially in the case to = 1, have been extensively studied in the literature, 
see [1] for a survey. 

When TO = 1, for sequences of the largest possible period t = p, a, number 
of results about the distribution of the fractions u„/p in the interval [0, 1) and, 
more generally, about the distribution of the points 

(2) 

\ P P J 

in the s-dimensional unit cube [0, 1)® have been obtained, see the recent series 
of papers [3, 5, 6, 7, 8] for more details. In the paper [2], the same method for 
nonlinear generators of arbitrary order to > 1 is presented. In particular, the 
paper [2] gives a nontrivial upper bound on exponential sums and the discrepancy 
of corresponding sequences for polynomials of total degree d > I which have a 
dominating term (see Theorem 1 and Theorem 2 in that paper). As in [2], we 
say that a polynomial f{Xi, . . . , X^) G lFp[Ali, . . . , has a dominating term 
if it is of the form 

d\ 1 drn 1 

f{X,,...,X^) = aa,...d^Xt---Xt+Y.--- E 

* 1—0 *m — 0 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 192-199, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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with some integers fii > 1, ^2 > 0, . . . , dm > 0 and coefficients G IFp with 

7 ^ 0- We denote by T>T the class of polynomials having a dominating 

term. 

In this paper we extend Theorem 1 and Theorem 2 of [2] to a very large 
class of polynomials, including arbitrary polynomials of degree greater than one 
with respect to the variable X^, that is, polynomials / with degx^(f) > 1- 
This question appears in [2] as an important open problem. This note is based 
on properties about composition of multivariate polynomials which could be of 
independent interest. 

The paper is divided into three sections. In Section 2 we study the behaviour 
of the polynomials under composition. Then Section 3 we extend the result of 
[2]. Finally, in Section 4 we pose some open problems. 

2 Iterations of Multivariate Polynomials 

Let IK be an arbitrary field and let / be a polynomial in K[Xi, . . . ,Xm]- As 
in the paper [2], we consider, for k = 1 , 2 ,..., the sequence of polynomials 
fk{Xi, . . . , Xjn) G K[Xi, . . . , Xjn] by the recurrence relation 

fk{X„ . . . , Am) = /(/fc-l(Ai, . . . , Am), . . . , /fc-m(Ai, . . . , Am)), 

where /fe(Ai, . . . , Am) = Ai_fc, for k = -m+ 1, ... ,0. 

In this section we will give sufficient conditions for the polynomial / such 
that the polynomial sequence fk,k = —m + 1, • . ■ , is linearly independent. In 
order to prove this we can suppose, without loss of generality, that IK is an 
algebraically closed field. A central tool to study this sequence of polynomials is 
the following ring homomorphism : 

</>:K[Ai,...,Am] ^K[Ai,...,Am] 

defined as: </i(Ai) = / and (j){Xk) = X^-i, for fc = 2, . . . , m. 

Lemma 1. With the above notations, we have the following: 

- = fk+j, for j > 0 and k = -m+ 1, . . . , 0, 1, 2, . . .. 

— The polynomial f has degree greater than zero with respect to the variable 
Am if and only if (jT is an injective map, for every j > 1. In particular, the 
{fr, /r+i, ■ • ■ , fr+m-i} orc algebraically independent, for all r > —m + 1. 

Proof. The proof of the first part it is trivial by the definition of the rinh ho- 
morphism </>. 

On the other hand, we have that (j) is injective map if and only if its kernel 
is trivial, that is, </> is injective if and only if 

{pGK[Ai,...,Am], </>(p) = 0} = {0}. 

If p G K[Ai, . . . , Am], then </>(p) = p{f, Ai, . . . , Am-i); so p = 0 if and only if 
{Am-i, . . . , Ai, /} are algebraically independent. If degx^if) > 0 then Am is al- 
gebraically dependent over K(/, Ai, . . . , Am-i). Consequently {Am-i, . . . , Ai, 
/} are algebraically independent over IK if and only if we have degj,^^ (/) > 0. 




194 



J. Gutierrez and D. Gomez-Perez 



Finally, by the first part, we see that (Xm-j) = fr+j, for j = 0, . . . , m — 
1. Now, the claim follows by induction on r. □ 

We say that a multivariate polynomial f{Xi, . . . , X^) G K[Xi, . . . , X^] is 
quasi-linear in Xm if it is of the form / = aXm + g where 0 yf a G IK and 
g G TK[Xi, . . . ,Xm-i]- We denote by AfC the class of non quasi-linear in Xm 
polynomials of degree greater than zero with respect to the variable X^. So, 
the class AfC is the set of all polynomials except the polynomials which do not 
depend on Xm and the quasi-linear polynomials. 

Lemma 2. Let f be an element of AfC. Then any finite family of the polyno- 
mials fk, k = —m + 1, . . . , 0, 1 , . . is linearly independent. 

Proof. We prove it by induction on m. For m = 1 it is obvious, because the degree 
is multiplicative with respect to polynomial composition. Now, we assume that 
degjjf^ (/) > 0 and we suppose that we have a nonzero linear combination: 

O-r/r “t” ^r+l/r+1 “t“ * * * “t“ aj.-\-sfr+s — 0, (3) 

where aj G IK and yf 0. We claim that Xm G T, where I is the ideal in the 
polynomial ring K[Xi, . . . , Xm\, generated by: 

with /= /-/(O, ...,0). 

By Lemma 1, jg injective map and 

= fr. 

Applying the inverse of ^r+m-i equation (3), we obtain: 

OrXm ar-\-lXm—l “t“ * * * “t“ ar-\-sf s — — 0- (4) 

We show that ft = ft ~ ft G T, where /° = /t(0, . . . , 0). By the uniqueness 
of the classical euclidean division 

f={X,-fl,)g, + n{X 2 ,.--,Xm) 

and 

n(X2, • • • , Xm) = {X 2 - /f_2)ff2 + r2(A3, . . . , X„). 

Now, by recurrence, we have: 

/ = — ft-l)9l + f {Xm-l — + {Xm ~ ft-m)9m + 90, 

where gt G K[Aj, . . . , Xm], i = 0, . . . , to. 

Since, ft = /(/t_i, . . . , ft-m) we have that go = ft. Now, by induction on t, 
we will show that ft G T, for t > 0. In order to see that, we observe that 

ft = /(/t-i,...,/t-m)) = 
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— /t— Ij ■ ■ ■ 5 ft—m)) H“ * * * H“ ■ ■ ■ j ft—m)) 90- 

Then, = ft - e X. 

Using the equation (4), we have: 

~ {^r+l^m — 1 T * * * “t“ f g—m+l) • 

And have just proved that € X. So, there exist polynomials Wi £ K[Ai, . . . , 
Xm], i = 1 , . . . , m, such that 

Xm — X\W\ + * * * + X^ — iWm—1 T 

then Xm = /(O, . . . , 0, Xm)wm{Q, • ■ • , 0, Xm)- As consequence, we can write / as 
follows: 

/ = X\hi + • • • + Xm-lhm-l + 0:Xm + P, (5) 

where hi £ K[Aj, . . . , Xm], {i = 1, . . . , m — 1), a,P £ K and a ^ 0. Now, we 
consider the polynomial 

H = f{Xi,.--,Xm-l,Y)-f{Xu...,Xm-l,Z)£TK[Xi,.--,Xm-l,Y,Z]. 

We claim there exists a zero (ao,i) • ■ • > cio,m-i,Po, 7o) G of the polynomial 

H, with Pq yf 7 o- In order to prove this last claim, we write the polynomial / as 
univariate polynomial in the variable Xm with coefficients bj in the polynomial 

ring K[Ai, . . . , Xm-i], for j = 0 , . . . , s, that is, / = bsX^ H h biXm + bg, for 

j = 0, . . . , s and bs yf 0. So, 

= b,(Y^ -Z^) + --- + bi(Y - Z). 

If a such zero does not exist, then the zero set of h coincides with the zero 
set of the polynomial Y — Z. Since U — Z is an irreducible polynomial in 
WpXi, . ■ ■ ,Xm-i,Y, Z], then by the Nullstellensatz theorem, (see for instance 
[4] ) H is a, power of Y — Z, i.e., there exists a positive natural number t such 
that H = 7(y — Z)*, where 0 yf 7 G K. We have the following: 

bs{Y^ -z^) + --- + bi{Y -z) = 7(r - zy. 

^From this polynomial equality, we obtain that s = t. Since 7(U — Z)^ is a 
homogenous polynomial, then — Z'^) = j{Y — Z)^. Now, from (5), we get 

that s = 1 and / must be b\Xm + bg, that is, f is a quasi- linear polynomial in 
Xm- By the assumption / £ J\f£, this is a contradiction. 

Finally, we evaluate the left hand of the polynomial equality (4) in the point 
= (ao,i, • • • ,ao,m-i,/3o), we obtain: 

O-rPg Qr+m-lOig^l + ar+mf{Po) + ' ’ ’ + CLr+sfr+s-m{Po) = 0- (6) 

We also evaluate (4) in the point Qg = (oq,!) ■ ■ • j c«o,m-i)7o) and we obtain: 

dr Jo ar+m-lC(g^l + dr+mfiQo) + ’ ’ ’ + dr+sfr+s-m{Qo) = 0- (7) 

We observe that fk{Pg) = fk{Qo) for all A: > 0. Thus, subtracting the equa- 
tion (7) from the equation (6), we get dr{Pg — 70) = 0. Again, this is a contra- 
diction and, the result follows. □ 
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We can also extend the above result to another class of polynomials. We say 
that a multivariate polynomial f{Xi , . . . , X^) G K[Xi, . . . , X^j of total degree 
d, has the dominating variable X\ if it is of the form 

/ = 0-d.Xf + Od-iXf^ ^ + • • • + ao 

where d > 0 and at £ fX.[X 2 , ■ ■ ■ , X^], with yf 0. We denote by W the class 
of polynomials having the dominating variable Xi . 

Lemma 3. With the above notations, for polynomial f € W the total degree of 
the polynomial fk is df , k = 1,2,.... In particular, if d > I, any finite family of 
the polynomials fk, k = —m + 1, . . . , 0, 1, . . ., is linearly independent. 

Proof. We prove this statement by induction on k. For fc = 1 it is obvious. 

Now we assume that k > 2. We have 

fk — adfk—l O-d— l(/fc— 2; • ■ • J fk — {m—l))fk — l + ’ ’ ’ + Oo(/fc — 2j ■ • ■ ) /fc— (m— 1)) 
We remark that for all 



deg(ad-i) < t, i = 0,...,d, 

because deg f = d. Using the induction assumption we obtain 

deg{ad-^{fk-2, • ■ • , /fc-(m-i))/fcll) 

= deg(ad-i(/fc- 2 , • ■ • , fk-{m-i))) + deg(/fcl}) < + (d - 

for alH = 1, . . . , d. On the other hand 

deg(ad/fc-i) > deg(/^_i) = d^ 

Finally, we observe that d^ > zd*“^ + (d — z)d^“^ for all z = 1, . . . , d. □ 

We have the following corollary: 

Corollary 1. If f is a polynomial in TK[Xi, X 2 ] of total degree greater than one, 
then any finite family of the polynomials fk, k = —m + 1, . . . , 0, 1, . . ., is linearly 
independent. 

Proof. It is an immediate consequence of Lemmas 2 and 3 □ 

We observe that any polynomial in the class AfC has total degree greater than 
one. On the other hand, if / is a linear polynomial, the sequence fk, k = 1, . . ., 
is obviously linearly dependent. 

The following examples illustrate that we have three different classes of 
multivariate polynomial in m variables. The polynomial / = X^ + X 2 X 1 has 
dominating variable Xi, that is, / G T>V, but it has not a dominating term, 
/ ^ VT. We also have, that / is not a quasi-linear polynomial in X 2 . Conversely, 
g = X 1 X 2 + 1 G VTf]AfC, but / ^ VV. Finally, h = X^ + X 2 £ VTf] but 
h^AfC. 
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3 Discrepancy Bound 



We denote by T the union of the three classes T = PVIJPTIJ A/’£. 

Following the proof of Theorem 1 in [2], we note that the only condition 
that they require is the statement of the above results. So, as a consequence of 
Lemma 2 and 3 and Corollary 1 we have Theorem 1 and Theorem 2 of [2] for 
polynomials f{Xi, . . . , Xm) G Fp[Xi, . . . , Xm] with / G T if to > 2 and for any 
non-linear polynomial / if to = 2. 

As in the paper [2], let the sequence (u„) generated by (1) be purely periodic 
with an arbitrary period t < . For an integer vector a = (oq, . . . , Os-i) G , 

we introduce the exponential sum 

N-l / s-1 \ 

Sa.{X) = 'y ^ e I y ^ ajUn+j j , 

"=0 \j=0 J 

where e{z) = exp(27rfz/p). 

Theorem 1. Suppose that the sequence (un), given by (1) generated by a poly- 
nomial f{Xi,...,Xm) G TFp[Xi, . . . , Xm] of the total degree d > 2 is purely 
periodic with period t and t > N > 1. If m = 2 or f €T, then the bound 



max I Sg_{N) \ 

gcd(ao,...,as_i,p) = l 






holds, where the implied constant depends only on d and s. 

As in the paper [2], for a sequence of N points 

^ (dl.nj ■ ■ ■ ) 7s,n)n=l 

of the half-open interval [0, 1)'*, denote by Ar its discrepancy, that is. 



Ap = sup 

BC[0,1)‘> 



Tp{B) 



N 



- I B 



where Tp{B) is the number of points of the sequence B which hit the box 



B = [ai,/3i) X ... X C [0,1)* 



and the supremun is taken over all such boxes. 

Let Dg{N) denote the discrepancy of the points (2) for n = 0, . . . , — 1. 

Theorem 2. Suppose that the sequence (un), given by (1) generated by a poly- 
nomial f{Xi,...,Xm) G TFp[Xi, . . . , Xm] of the total degree d > 2 is purely 
periodic with period t and t > N > 1. If m = 2 or f gT, then the bound 

Dg{N) = O (iVi/V/"log-^/^p(loglogp)*) 

holds, where the implied constant depends only on d and s. 

In particular. Theorems 1 and 2 apply to any non-linear with respect to X\ 
polynomial. Thus these are direct generalizations of the results of [5]. 
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4 Remarks 

We have extended the results of [2] to a very large class of polynomials, including 
multivariate polynomials / such that degjjj- (/) > 1. The only remain open 
problem is for a subclass of polynomials of the form g{X\, . . . ,Xm-i) + aXm, 
where a G . 

On the other hand, it would be very interesting to extend these results to 
the case of generators defined by a list of m polynomials of Fp [Xi , , Xm] ' 

F = (/i(Xi, . . . , X„), . . . , f^{{X ^, . . . , X^)) 

For each i= 1, . . . , m we define the sequence of polynomials (Xi ,... , X.^) G 
Fp [Xi , . . . , Xjn] by the recurrence relation 

/r=/*, ft\X^,...,Xm)= !,■■■, fm), fc = 0,l,.... 

So, for very k, we have the following list of m multivariate polynomials: 

= (/f (Xi, ...,X,^),..., f^{X„ ..., X^)). 

Now, the question is for what general families of polynomials F, for any two 
numbers r and s with 0 < r < s the polynomials fl — ff, i = 1, ..., m, are linearly 
independent. 
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Abstract. Cyclotomic constructions are given for several infinite fami- 
lies of even length binary sequences which have low negaperiodic autocor- 
relation. It appears that two of the constructions have asymptotic Merit 
Factor 6.0 which is very high. Mappings from periodic to negaperiodic 
autocorrelation are also discussed. 



1 Introduction 

The Periodic Autocorrelation Function (PACF) of a length N binary sequence, 
s{t), is, 

N-l 

P^(w) = 0<OJ<N (1) 

t=o 

where sequence indices, t, are taken mod N. s{t) has optimal PACF when 
|Ps(w)| = 1 if V is odd. For N even, the PACF of s{t) = 0001 is 4, 0,0,0, 
which is perfect as Pa{to) = 0, Vw yf 0. But, for N even, V > 4, it is con- 
jectured (but not proven) that there is no binary s(t) with perfect PACF. 
If this conjecture is true then, for N even, N > 4, binary s{t) such that 
mins(i)(maxi<ij<Ar |Ps(w)|) = 2 (4) has best possible PACF, for 4 /jV (4|V), 
respectively. However, when s(t) is balanced (an equal number of zeros and ones) 
or almost-balanced (|#zeroes — #ones| = 1) proof of optimality is possible. A re- 
cent paper [1] used cyclotomy to construct infinite ^ balanced (almost-balanced) 
binary sequence families of length N = 2p, for certain p prime, with optimal 
PACF. In this paper we consider the Negaperiodic Autocorrelation Function 
(NACF) of s(t), 

N-l 

Q^(w) = ^(-l)"(‘+“)-*W-L^J, 0<w<iV (2) 

t=o 

where sequence indices, t, are taken, mod N. For example, the NACF of s{t) = 
110101 is Qs(co) = 6, —4, 2, 0, —2,4. Binary s(t) has optimal NACF when |Qs(a;)| 

^ ’infinite’ means there is no upper limit on N for which the construction is valid. 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 200-209, 2001. 
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= 1, Vw 0, if is odd. For even N the NACF of s{t) = 01 is 2,0 which is 
perfect as Qs{oj) = 0, Vw yf 0. But for N even, N>2,we conjecture (but cannot 
prove) that there is no binary s(t) with perfect NACF. If this conjecture is true 
then, for N even, N > 2, binary s{t) such that min 5 p)(maxi<(j<jv IQs(u;)l) = 2 , 
has best possible NACF. We provide constructions for such ’conjectured optimal’ 
sequences, s(t), in Theorems 1 and 2, where s{t) is not necessarily balanced or 
almost-balanced. ^ We can always define an odd-length binary sequence, e(t), 
such that e{t) = s{t) + t (mod 2), where Qe(w) = (— l)“Ps(u;) (Lemma 2), so 
low odd-length N PACF constructions trivially map to low odd-length N NACF 
constructions. However most even-length sequences with low NACF cannot be 
trivially derived from even-length sequences with known PACF, although we 
do review some useful mappings in Section 5. In this paper cyclotomy is used 
to construct binary sequence families of even length N = 2p {N = 4p) with 
low NACF for certain p prime. Unlike the sequences of [1], the sequences of 
this paper are not necessarily balanced or almost-balanced. Sequences with low 
NACF can be used in spread-spectrum systems in a similar way to sequences with 
low PACF, and for comparable complexity [9]. The Aperiodic Autocorrelation 
Function (AACF) of a length N binary sequence, s{t), is, 



N-l 

H,(u;) = -N<co<N (3) 

t=o 

where s{t) = 0 for t < 0 or t > N. AACF is the sum and difference of PACF 
and NACF: 

As(w) = ^{Ps{uj) + Qs{oj)), 0 < u! < N 

Asiu) = ^{Ps{N-uj)-Qs{N-u)), -N<u<0 

where |As(w)| = |As(— w)|. It is a well-known open problem to identify lowest 
possible values of 1 ^ 5 ( 0 ;)! for a length N sequence, s. ’Golay Merit Factor’ (MF) 
[ 8 ] is a common metric used to measure aperiodic optimality of a sequence and 
is given by, 



M, = 



iV2 



( 5 ) 



Lower values of |As(o;)| give higher MF. The highest MF for a given length N 
binary sequence is not known in general. The asymptote, Mg = 6.0, — >■ 00 is 

the highest known asymptote for a sequence, s, belonging to an infinite family 
of binary sequences, where the construction is a cyclic shift (cyclically shifted by 
approximately A/4) of a Legendre or Modified- Jacobi sequence [7,8], although 
Golay has constructed skewsymmetric binary sequences with MFs generally be- 
tween 8.00 and 9.00 [3,4,5] up to lengths A = 100 or so. The Rudin-Shapiro- 
based constructions [2,6,11,10], achieve PACF and NACF upper bounds which 

^ Computations show that binary s{t) satisfying mins(t) (maxi<„<jv |Qs(a;)|) = 2 ex- 
ist for all even A up to A = 38. This is in contrast to PACF when 4|A, where 
computations suggest ming(i)(maxi<„<iv |Ps(w)|) = 4. 
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appear to be asymptotically of the same order, leading to an asymptotic MF of 

3.0. 

This paper shows, experimentally, that the constructions of Theorems 1 and 
2 also approach Mg = 6.0 as N ^ oo, and Section 5 argues that this is because 
these constructions are closely related to Legendre sequences. 

2 Construction 

Instead of constructing a length N sequence s(t), we construct a length 2N 
sequence s'(t), where s'{t) = s{t), 0 <t < N, s'{t) = s{t) + 1 (mod 2), N < t < 
2N. The NACF of s{t) and the PACF of s'{t) are related as follows, 

Qs{u}) = ^Ps'{oj), 0<OJ<N 

For example, if s'{t) = 11010111110010100000 then s{t) = 1101011111. 

Ps'ito) = 20, 0,4, 0,-4, 0,4, 0,-4, 0,-20, 0,-4, 0,4, 0,-4, 0,4,0, so 

Qs{oj) = 10, 0, 2, 0, —2, 0, 2, 0, —2, 0. The constructing method uses cyclotomy, as 

in [1], to specify a subset C of Z 2 N to define the characteristic sequence s'{t) of 

C: 

s'(t) = l^’ if tec 

' ' (0, otherwise 

The PACF is determined by the difference function, 

dc(w) = |C'n(c + w)| 

where C + to denotes the set {c + w : c G C} and ’+’ denotes addition, mod 2N. 
The PACF of s'{t) is then, 

Pg,{uj) = 2N-4{\C\-dc{co)) (6) 

This paper gives constructions for N = 2p and N = 4p, p prime. We therefore 
specify C over Z 4 p and Zgp. By the Chinese Remainder Theorem (CRT), Z^p is 
isomorphic to Zr x Zp, gcd(r,p) = 1. For N = rp, let C" = {{n} x Cn \ Cn Q 
Zp,0 < n < r}, F = {G X 0 \ G C Z^}, and C = C" U F. Define w = (wi, W 2 ) G 
Zr X Zp. Then, 

dc(oJi,oj2) = |G n (G + (u;i,a;2))| 

= Z)fc=0 J2nJo 1^" {Ck-wi + W 2 ) I 

+ |G n (G + (rci, 0))| + X)fc=o \G C\{k + w\,Ck + rc 2 )| 

+ Z]fe=o \ {k,Ck) n (G+ (wi,'u; 2 ))| 

From (7) we see that if we know |G„ fl {Cm + <^ 2 )|> Vn,m, W 2 G Zp, and if we 
can also determine the last three terms involving G, then we can determine 
dc{^jJi,L 02 ) = dc{u}), 'ioj, and hence the PACF of s'{t). If we construct G„ from 
the union of various cyclotomic classes over GF(p), Vn, then |G„ fl {Cm + ^ 2 ) | is 
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computable from the cyclotomic numbers over GF(p). Let Di be the cyclotomic 
class of order d, given by, 

A = {a\a‘^+\ ^ ^ ^ ^ 0 < t < d 

where a is a primitive generator over GF(p). Then the cyclotomic number [i,j\ 
of order d over GF(p) is, 

[i,j] = |(A + i)n7^,| (8) 

Note that |C„ fl {Cm + tC 2 )| = fl {w^^Cm + 1)1, (mod p), for W 2 yf 0. 

II Cn — Tyi C and W 2 € then W 2 Cn = 

Therefore, 

|tC 2 ^C„n(ui 2 ^Cm + l)| = 1(1^ F?fc_|_ft)n( Dk+h + ^)\ = E E [k+h,j+h] 

k&T„ fceTm k&T„j&Tr^ 

i.e. a sum of cyclotomic numbers. We later use cyclotomic numbers to prove the 
NAGF of some of the sequences we construct. 

Example 1: s'{t) is described by C comprising F and the Cn which are, in 

turn, the union of various Di of order d. Let 2N = rp = 4p, d = 2, and Cq = Dq, 
Cl = Dq, C 2 = Di, Cq = D\. Let G = {1, 2}. Then, for p = 13 we can choose 
a = 2 to give Dq = {1, 4, 3, 12, 9, 10} and Di = {2, 8, 6, 11, 5, 7}. Thus, using the 
GRT, mod 52, we construct the sets, F = {13,26}, and, 

(0, Go) = (40(1, 4, 3, 12, 9, 10}} (1, Gi) = (13 + 40(1, 4, 3, 12, 9, 10}} 

(2, G 2 ) = (26 + 40(2, 8, 6, 11, 5, 7}} (3, G 3 ) = (39 + 40(2, 8, 6, 11, 5, 7}} 



Then G = (0, Go) U (1, Gi) U (2, G 2 ) U (3, G 3 ) U F = 

(1, 2, 4, 6, 7, 9, 11, 12, 13, 15, 16, 17, 18, 19, 25, 26, 29, 31, 34, 36, 40, 46, 47, 48, 49, 50}. 

Therefore, s'{t) = 0110101101011101111100000110010100101000100000111110 , 
and 



P,, {to) = 52, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 
- 52, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0, -4, 0, 4, 0 



Finally, the first half of s'{t) is s{t) = 01101011010111011111000001 , and. 



Qs{uj) = 26, 0, -2, 0, 2, 0, -2, 0, 2, 0, -2, 0, 2, 0, -2, 0, 2, 0, -2, 0, 2, 0, -2, 0, 2, 0 



Example 1 highlights the following restriction. 

Lemma 1. For s'{t) to satisfy s'{t + N) = s'{t) + 1 {mod 2), 0 < t < N, we 
require that, if Cn = UieT„ then G„+r = A- Moreover, if 

j & G G), then J + § {mod r) ^ G, (& G). 

From Lemma 1 it is sufficient to describe s{f) by defining G„ for 0 < n < |, and 
by defining G' C Z^, where G' = {g \ g € G, g < ^}. 

A Compact Description for s{t): s{t) is compactly described by H = 
(G', (UigTo {UieTi Fl*}) • ■ • ) {UieTr_i F>i}). 

So for Example 1 we define s{t) by H = ({1}, { A}; {-Do})- Example 1 is 
taken from Theorem 1 of Section 3 and is a construction for length N = 2p 
sequences, s{t), with low NAGF. 




204 



M.G. Parker 



3 Sequences with Low Negaperiodic Autocorrelation 

3.1 Symmetries 

Two length K sequences, u{t) and v{t) are called ’PACF-equivalent’ (’NACF- 
equivalent’) if they have the same distribution of PACF (NACF) magnitudes, 
and there exist well-defined operations that take u{t) to and from v{t). Such 
operations are called PACF-equivalent (NACF-equi valent) operations. Before 
presenting the constructions we first mention some PACF-equivalent operations 
on s'{t). These translate into NACF-equi valent operations on s{t). 



PACF-equivalent operation on 


s'{t) NACF-equi valent operation on s{t) 


Cyclic Shift of s'(t) 


Negacyclic Shift of s{t) 


Reversal of s'{t) 


Reversal of s{t) 


Negation of s'{t) 


Negation of s{t) 



The following theorems and conjectures only present constructions for NACF- 
inequivalent sequences, s{t), and proofs of Theorems 1 and 2 are given at the 
end of this section. 

Theorem 1. Let p = 4f + 1 be prime and d = 2. The length N = 2p sequence 
s{t) has conjectured optimal three-valued out-of-phase negaperiodic autocorrela- 
tion, {-2,0,2}, if n ={{!}, {Do}, {Do}). 

Theorem 2. Let p = 4f -\- 3 be prime and d = 2. The length N = 2p sequence 
sft) has conjectured optimal three-valued out-of-phase negaperiodic autocorrela- 
tion, {-2,0,2}, z/H=({0,l},{ilo},{^o}) or U = {{-}, {Do}, {Do}). 

In the following three Conjectures let 7 = {a,b}{c,d}{e, f}{q,h} be short for 
{Da U Dh}, {Da U Dd}, {Da U Df}, {Dg U D^}. 

Conjecture 1. Let p be a prime of the form (n^ -I- l)/2, 8|(p — 1), and d = 4. Let 
s(t) be described by H = (G',7). Then, for a given 7 chosen from Conjecture 
1 of Table 1, 3a and such that the length N = 4p sequence s{t) has near- 
optimal five- valued out-of-phase negaperiodic autocorrelation {—4, —2, 0, 2, 4} or 
{ — 18, —4, 0,4, 18}, respectively, independent of choice of G' . 



Table 1. G' and 7 Values for Conjectures 1 and 2 



Conjecture 1 



{2} {0,3}{1,2}{0,1}{0,1} 

{0,1,2} {1,2}{0,3}{0,1}{0,1} 
{3} {2,3}{0,1}{1,2}{1,2} 

{0,1,3} {0,1}{2,3}{1,2}{1,2} 



Conjecture 2 



{0} {0,3}{1,2}{0,1}{0,1} 

{1} {1,2}{0,3}{0,1}{0,1} 

{0,2,3} {2,3}{0,1}{1,2}{1,2} 
{1,2,3} {0,1}{2,3}{1,2}{1,2} 
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Conjecture 2. Let p be a prime of the form (n^ + l)/2, 8 /f(p — 1), and d = A. 
Let s{t) be described by H = (G', 7). Then, for a given 7 chosen from conjecture 
2 of Table 1, 3a and such that the length N = 4p sequence s{t) has near- 
optimal five- valued out-of-phase negaperiodic autocorrelation {—4, —2, 0, 2, 4} or 
{-22,-4,0,4,22}, respectively, independent of choice of G' . 

Conjecture 3. Let p be a prime of the form + 4, and d = A. Let s{t) be 
described by H = (G',7). Then, for a given 7 chosen from the left-hand (right- 
hand) side of Table 2, 3a and a~^ such that the length N = Ap sequence s{t) of H 
has near-optimal five and seven-valued out-of-phase negaperiodic autocorrelation 
{— 4, —2, 0, 2, 4} or { — 12, —4, —2, 0, 2, 4, 12}, respectively, for the single choice of 
G' from the left-hand (right-hand) side of Table 2. 



Table 2. G' and 7 Values for Conjecture 3 



G' 7 


G' 7 


{0} {1,3}{0,2}{0,1}{0,1} 
{0,2}{1,3}{0,1}{0,1} 
{1,3}{0,2}{1,2}{1,2} 
{0,2}{1,3}{1,2}{1,2} 


{0,3} {0,1}{0,2}{0,2}{0,1} 
{0,1}{1,3}{1,3}{0,1} 
{1,2}{0,2}{0,2}{1,2} 
{1,2}{1,3}{1,3}{1,2} 



Example 2: A representative sequence of Conjecture 3 is 
H = ({0, 3}, {7^0, A}, {Do, D 2 }, [Do, D^}, {Do,D^}). Then 
G = {(0, 0) U (3, 0) U (5, 0) U (6, 0) U (0, Go) U (1, Gi) U (2, G2) U (3, G3) U (4, G4) U 
(5, Gs) U (6, Ge) U (7, G7)}, where 

Co = {-Do U Di}, Gi = {-Do U D2}, G2 = {Do U D2}, G3 = {Do U Di} 
G4 = {D2 U D3}, G5 = {Di U D3}, Cq = {Di U D3}, G7 = {D2 U D3} 

Let p = 29 and d = A. Using a = 2 as a primitive generator, mod 29, Do = 
{1, 16, 24, 7, 25, 23, 20}, Di = {2, 3, 19, 14, 21, 17, 11}, D2 = {4, 6, 9, 28, 13, 5, 22}, 
D3 = {8, 12, 18, 27, 26, 10, 15}. Using the CRT, 



(0, Go) = 88{1, 16, 24, 7, 25, 23, 20, 2, 3, 19, 14, 21, 17, ll}(mod 232) 

(1, Gi) = 145 -h 88{1, 16, 24, 7, 25, 23, 20, 4, 6, 9, 28, 13, 5, 22}(mod 232) 

. . . etc 



Similarly, F = {0, 203, 29, 174} 

Therefore, 

s(t) = 1101100001011011100101001100110011100101101110111100000101 
0101010100111110111100011111001000100100001110100100001000 



and the NACF of s{t) is, 



116, 2, 0, 2, -4, -2, 0, 2, 4, 2, 0, 2, -4, -2, 0, -2, 4, -2, 0, 2, -4, 2, 0, 2, 4, 2, . . . etc 



Proof, (of Theorem 1). We wish to compute dc{wi,W 2 ) by evaluating (7) using (8) 
and (9). For p — Af + I, G Dh implies ±W 2 € 2)1 ^^4 need this for 
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the last three terms of (7). The cyclotomic numbers of order d — 2 for p — 4f + 1 are 
[0,0] = [0, 1] = [1,0] = ]1, 1] = We have Co = Ci = Do, C 2 ^ Cs = L»i, 

G = {(1, 0), (2, 0)}. Therefore, 

dc(0,0) = ]C] = 2(p- 1) + 2 = 2p 

dc(i, 0 ) = ]Co n Cs] + ]Ci n Co] + [Ca n Ci] + [Cg n C2] + ]c n (c + (1, 0))] 

= ]Do| + j-Dij + 1 = p 

dc{2, 0 ) = 2 (]Co n C2] + ]Ci n C3]) + ]G n (G + (2, o))[ = 0 + 0 = 0 
dc( 3 , 0 ) =dc{l,0)=p (using dc(-wi, -W2) = dc(wi,W2)) 

dc{0, W 2 ) = EIlo 1^" n (G„ + W 2 )l + EIlo |G n (fe, Ck + W 2 )l 

+ EZl\ik,C,)n{G+{0,W2))\ 

= [0,0] + ]0,0] + [l,l] + [l,l] 

+|{(li 0), (2, 0)} n {(1, Gi + W 2 ) U (2, C 2 + W 2 )}] 

+ ]{(!, Gi) U (2, G 2 )} n {(1, W 2 ), (2, «;2)}1 = p- 3 + l + l= p-l, 
for W 2 ^ G Do, or £ -Di 

C?c(l, W 2 ) = X/n =0 Zn- 13 (G„-l + ui 2 )] + |G H (^ + Ij C'fc + W 2 )\ 

+ 13 (G + ( 1 ,^ 2 ))] 

= [0,l] + ]0,0] + [l,0] + [l,l] 

+|{(3i 0): (2, 0)} n {(1, Go + W 2 ) U (2, Gi + W 2 )}] 

+ ]{(2, G 2 ) U (3, G 3 )} n {(2, W 2 ), (3, W 2 )}] = P - 2 + 2 = p, 
for W 2 ^ G Do, or G -Di 

similarly dc(2, W 2 ) = p — 1 + 1 + 1 = p + 1, dc(3, UI 2 ) = p — 2 + 2 = p 

for W 2 ^ G Do, or G -Di 

Substituting dc{wi,W 2 ) back into (6) gives the PACF distribution {0, 4, — 4, for 

s'{t), implying an NACF distribution {0, 2, — 2} for s{t). □ 

Proof, (of Theorem 2) The proof is identical to that of Theorem 1, except that, for p = 
4/ + 3, W 2 ^ G Dh implies W 2 G ^^+i(mod 2 )’ “"*^2 G Du- Moreover, the cyclotomic 

numbers of order d = 2 for p = 4/ + 3 are [0, 1] = [0, 0] = [1, 0] = [1, 1] = □ 

Conjectures 1-3 will hopefully be proved in a similar way to the above, but now 
cyclotomic numbers of order 4 are required. 



4 Asymptotic Merit Factors 

By computation, using (5), the constructions of Theorems 1 and 2 give sequences, 
s{t), with Merit Factor (MF) Mg — >■ 6.0 as N — >■ 00 . Figs 1 and 2 plot MF for 
increasing prime values, p, for the constructions of Theorems 1 and 2. Very 
good MFs occur for no negacyclic shift, but Fig 3 presents the best MF over all 
negacyclic shifts. The highest MF sometimes occurs for a non-zero negacyclic 
shift. The asymptote of Mg = 6.0 is the best known for an infinite construction 
class of binary sequences [7,8], where cyclically-shifted Legendre and Modified- 
Jacobi sequences also attain this maximum^. Unlike Legendre and Modified- 
Jacobi sequences, no final shift of the constructed sequences is required to obtain 

The constructions of [1] appear to asymptote to Mg = 1.5 or Mg = 3.0 



3 
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Negacyc, order 2,m=4,N=2p,p=4f+1 Meriti ,m 




Fig. 1. NegaPeriodic Construction, Theorem 1, p = 4/ + 1 



Negacyc, order 2,m=4,N=2p,p=4f+3 Merit2.m 




Fig. 2. NegaPeriodic Construction, Theorem 2, p = 4/ + 3 



the asymptote of 6.0. Lemma 3 of the next section shows that the constructions 
of Theorems 1 and 2 are closely related to Legendre sequences. 

5 Mappings Between Periodic and Negaperiodic 
Autocorrelation 

Although the sequence constructions of this paper are new, we also highlight 
further symmetries that trivially relate PACF and/or NACF coefficient distri- 
butions of binary sequences s(t) and e(t), where s and e are not necessarily the 
same length. 

Lemma 2. Lete{t) = s{t)+t {mod 2), where s{t) and e{t) are binary sequences 
of length K. Then, 



QeH = 






208 



M.G. Parker 



Negacyc,order2,m=4,N=2p,p=4f+1 BestCycShf MeritlO.m 




Io92(N) 



Negacyc,order2,m^,N-2p,p^f'<-3 Best CycShf MerltU.m 




Fig. 3. NegaPeriodic Constructions, p = 4/ + 1, Theorem 1 (Ih), p = 4/ + 3 Theorem 
2 (rh), Best Negacyclic Shift 



Proof. Direct inspection, or by examination of the 2iC-point Discrete Fourier 
Transform (DFT) of s{t) and e(t). □ 

Lemma 3. Let e{t) = s{t {mod K)), t = 0, 3 {mod 4), e{t) = s{t {mod K)) + 
1 {mod 2), t = 1,2 {mod 4), where s{t) and e{t) are binary sequences of length 
K and 2K, respectively, K odd, and 0 < t < 2K. Then, 

Qe{oS) =0 bJ odd 

Qe{bj) = {—l)^2Ps{uj {mod K)) lo even, 0 < w < 2K 

Proof. Direct inspection or by examination of K and 2iC-point DFTs of s and 
e, respectively. □ 

Example 3: Consider the negated Legendre sequence of length K = 13, s{t) = 
1101100001101. This sequence has PACF 

Ps{u>) = 13, 1, —3, 1, 1, —3, —3, —3, —3, 1, 1, —3, 1 . e{t) is of length 2K = 26 and is 
given by, 

e{t) = 11011000011011101100001101 + 01100110011001100110011001 (mod 2) 

= 10111110000010001010010100 

and e{t) has NACF, 

Qe(w) = 26, 0, -6, 0, -2, 0, -6, 0, 6, 0, 2, 0, -2, 0, 2, 0, -2, 0, -6, 0, 6, 0, 2, 0, 6, 0 

e{t) is identical to s'{t) of Example 1 apart from the first bit. In general, an 
equivalent construction to that of Theorems 1 and 2 for AT = p is to make s{t) 
a negated Legendre sequence, apply Lemma 3, then flip bit 0 or bit K. 

Lemma 4. Let e{f) = s{t {mod K)), 4 ft, e{t) = s{t {mod K)) + 1 {mod 2), 
4\t, where s{t) and e{f) are binary sequences of length K and 4K, respectively, 
K odd. Then, 



Qe{uj) =0 4 /cj 

Qe{bj) = 4Ps{co {mod K)) 4\uj, 0 < w < 4K 
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Proof. Direct inspection or by examination of K and 4_ftT-point DFTs of s and 
e, respectively. □ 

6 Conclusion 

This paper has presented new cyclotomic constructions for infinite families of 
length N = 2p and N = 4p binary sequences with very low negaperiodic autocor- 
relation. The technique builds length 2N sequences with low periodic autocor- 
relation with the second half the negation of the first half. The desired length N 
sequence is then simply the first half. Two of the constructions exhibit a Merit 
Factor approaching 6.0 as N approaches infinity. This is the highest asymp- 
tote currently known. A final section highlights further mappings which relate 
periodic autocorrelation of a binary sequence to the periodic or negaperiodic 
autocorrelation of another binary sequence. 
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Abstract. We give some new general non-existence results on perfect 
and almost-perfect quaternary sequences that are useful for the syn- 
chronisation of messages in multiple access communications systems. We 
present a conjecture on the non-existence of perfect autocorrelation qua- 
ternary sequences. 

Keywords: Finite fields - Number theory - Autocorrelation - Binary 
and Quaternary Sequences. 



1 Introduction 

Throughout the paper s = {st)tefi will denote a complex-valued sequence of 
period n, i.e. St+n = St for every t. Associated with it is its generating vector 
(sO) si, • • • ; Sn-i)- The periodic autocorrelation of s is classically the coefficients 
{cs(u) I 0 < M < n — 1 } of inner products Cg(u) = StSt+u where St denotes 

the complex conjugate of St and the sum t + u is computed modulo n. The coeffi- 
cients Cs{u) with u = 0 (mod n) are called ” in-phase” coefficients and are equal 
to the weight of s, i.e. the number of non-zero elements of s in one period. The 
other coefficients Cs{u) for u ^ 0 (mod n) are called “out-of-phase” coefficients. 
The shift operator a applied to s is defined by cr(s) = (s„_i, sq) • • • , Sn- 2 ), for 
all integer u (mod n) we have cr^{s) = (sn-u, ■ ■ ■ , Sn-u-i)- 

In this paper, sequences have values in the ring of integers modulo 4 Z 4 = 
Z/4Z = {0, 1, 2, 3} (called quaternary sequences). These correspond to complex- 
valued sequences by the standard isomorphism x >—> with = —1. We now 
recall some useful basic notations and definitions on the correlation of quaternary 
sequences. Let s = (st) be a quaternary sequence of period n. Define = 
s — cr’‘(s) for all integer u (mod n). The autocorrelation coefficients are equal 
for all integer u (mod n) to 

Cs(u) = [r]o{mu) - miiTT-u)] + ilmimu) ~ Vsiniu)] (1.1) 

* This work has been done while the author was at Universite de Toulon et du Var - 
G.R.I.M.(G.E.C.T.) - FRANGE 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 210-218, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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where rji{mu) = tl{i G [0,n — 1] | = 1} with I = 0, 1,2 or 3. This result is 

classical and easy to proove using the general definition of the autocorrelation 
coefficients of a complex-valued sequence. 

A periodic quaternary sequence is called perfect if all its “out-of-phase” auto- 
correlation coefficients are equal to zero. Similarly, it is called almost-perfect if all 
its “out-of-phase” autocorrelation coefficients are equal to zero except possibly 
one. 

There are some results regarding the non-existence of periodic quaternary 
sequences having perfect autocorrelation properties. Chung and Kumar proved 
in [1] that there exists no perfect autocorrelation quaternary sequences of period 
2^ with k greater than 4. Moreover, it is well-known that the existence of a perfect 
autocorrelation quaternary sequence is equivalent to the existence of a complex 
circulant Hadamard matrix. In [2], Arasu, Launey and Kumar conjectured that 
there exists no such matrix of order greater than 16. In this paper, we present 
new results on the non-existence of perfect autocorrelation quaternary sequences 
and express as a conjecture that those sequences only exists with period 4, 8 and 
16. We establish a similar result concerning the non-existence of almost-perfect 
autocorrelation quaternary sequences. 

2 Perfect Autocorrelation Quaternary Sequences 

First, we give a short characterisation of periodic quaternary sequence having 
perfect autocorrelation properties. 

Proposition 2.1. The quaternary sequence s = (st) of period n is perfect if 
and only if for all integer u (mod n) there exists two integers a and b such that 
Vo(jnu) = V^inT'u) = a and 77i(m„) = rjsirriu) = b with a + b = nj 2 . 

Proof. For all integer u (mod n) we have Cs(u) = [? 7 o(m„) — ? 72 (TOu)]-|-i[r 7 i(m„) — 
= 0. But r]o{mu) + ?? 2 (to„) -I- r]i{mu) + = n. Thus 77o(m„) = 

mimu) and 77i(m„) = Tq^irriu). Finally we get 2?7o(m„) -I- 2rji{mu) = n. □ 

One of the central theorems on non-existence of perfect quaternary sequences 
is the following. 

Theorem 2.1. Let s = {st) he a quaternary sequence of period n. Define Uk = 
tt{t G [o, n — 1] I St = k} {k = 0, 1, 2, 3) as the number of occurencies of k in one 
generating vector (sq, Si, • • • , s„_i) of s. If s is perfect then 
no{no — 1) + ni{ni — 1) + rz2(n2 — 1) + ^3(713 — 1) — 2 noU 2 — 2 mnz = 0. 

Proof. We consider the quaternary (n — l,n)— matrix A = (a„t) such that the 
row contains the coefficents of = s — cr'^(s), that is, Out = St — Sf_„, 
where subscripts are computed modulo n. Let Nq,Ni,N 2 and N 3 be the number 
of 0,1,2 and 3 respectively of this matrix. We calculate No,Ni,N 2 and in two 
different ways. 
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A = 



/ So — Sn-1 Si — So ■■■ St — Sn-t-1 ' ' ' S„_i — S „_2 



So Sn—u Si Sn-u-\-l ‘ * Sf Sn—t—u * ‘ * Sn—1 Sn—u — 1 



V So — Si Si — S2 



St — St+1 



Sn-1 — So 



1) Considering the columns. 

The column t of length n — 1 is the transpose of the line 






J 



^n—t—1') * * * ■> ^n—t—ui * * * ') 

where s* never appears in {s„_t_i, • • • , s„_t_„, • • • , St+i}. 

Let colo,coli,col 2 and C0I3 be the number of 0,1,2 and 3, respectively, of this 
column. 

If St = 0 then the column t becomes —Sn-t-i ■ ■ ■ — Sn-t-u ■ ■ ■ — s^+i and then 
we get colo = no — 1, col\ = no, co /2 = n 2 and C0I3 = n\. 

Similarly we get. 

If St = 1 then colo = ni — 1, co/i = no, co /2 = no and co /3 = n- 2 . 

If St = 2 then colo = n 2 — 1, co/i = ni, co /2 = no and colo = ?^ 3 - 

If St = 3 then colo = no — 1, col\ = U 2 , co /2 = ni and co /3 = no- 

Finally we obtain 

{ No = no(no - 1) + ni(ni - 1) + n2(u2 - 1) + no{no - 1) 

Ni = uqUo + nino + n 2 ni + noU2 
N 2 = non2 + nin3 + U2no + noUi 
No = noUi + nin2 + n2Uo + uoUq 

2) Considering the lines. 

The line u of length n is 



*50 ^n—ui ’ ’ ’ 5 ^n—t—U'i ’ ’ ’ t ^n — 1 ^n—u—1' 

Let lgo,lgi,lg 2 and Igo be the number of 0,1,2 and 3 respectively of this line. 
Because the quaternary sequence s is perfect and according to proposition 2.1, 
we have Igo = lg 2 = n et Igi = Igo = b with a + b = | . 

Obviously, it implies that No = N 2 and Ni = No- 

Summing up the equalities in the two cases, we obtain the expected result. □ 

We now give a result on number theory useful for the next proof. 

Theorem 2.2. Let x be a natural integer and be its prime factor 

decomposition. A necessary and sufficient condition for x to be the sum of two 
squares is that for all integer p = 3 {mod 4) the exponent Vp{x) is even. 

Proof. See [5]. □ 

If we solve the equation no{no — 1) + ni{ni — 1) + n 2 {u 2 — 1) + no{no — 1) — 
2 noU 2 — 2n\no = 0 in theorem 21. we find some non-existence conditions on 
perfect quaternary sequences, summed up in the following theorem. 
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Theorem 2.3. Let s = (st) be a quaternary sequence of period n and 
the prime factor decomposition of n. Define Uk = 'i{t G [0, n — 1] | St = 
k} {k = 0, 1,2,3) as the number of occurencies of k in one generating vector 
(sq. Si, • • • , s„_i) of s. If s is perfect then 

1) n = (ns — ni)^ and n = 0 (mod 4) with 

= ni-\- y/n 77,2 = no = 2 ~ 2 

or 

U3 = ni — U2 = m = ^ ni 

2) n is a square and n = 0 (mod 16) with 77.3 = ni and 

n I v/^ 71 \/n 

n2 = 2 -^ 1 + A ^0 = 2 “ “ 4 

or 

71 \/n 71 I \/n 

772 = 2 - - 4 ftO = 2 “ + 4 

3) 77i ^ 773 and n ^ (773 — rii)^ with for all integer p = 3 {mod 4) the exponent 
Vp{n) is even and n = of + b‘^ where a and b are even with 

ns = ni + b 772 = §-?7i-|-|-| ?7o = §-?7i-|-| 

or 

ns=ni + b 772 =f-?7i-|-| ?7o=f-?7i-|-|-f 

and 

ns = ni - b 772 =§-?7i-|-| + | ?7o=§-?7i-|-|-| 

or 

ns = ni- b 772 = f-?7i-|-|-| ?7o = f-?7i-|-| + | 

Proof. Let x = no, y = n\, z = n 2 and w = ns- Because s is perfect, theorem 21 
gives the equation 

x‘^ + y'^ + z‘^ + w‘^ — X — y — z — w — 2xz — 2yw = 0 (E) 

with x + y + z + w = n and x, y, z, w integers ranging in [0, 77 ]. 

We fixe x = n — y — z — win {E) and obtain 

42:^ -I- 4 ( 7 / -I- tc — n)z + (2w^ + 2t/^ — 2nw — 2ny + n^ — n) = 0 

which can be viewed as a quadratic polynomial equation with z unknown. Its 
discriminant is Z\ = 16 (t7 — {w — t/)^). In order to get integer solutions to the 
equation (E), we need that A = S^. Therefore, z = f — 2 ~f^f even. 

A = 6^ = 16n — (4(w — y)Y 
5"^ + {A{w — y)Y = 16?7 

Let X = 5 and Y = 4{w — y). We get this new equation 

X'^ + Y'^ = 16n {E') 
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X = 0 : In this case the equation {E') becomes = 16n i.e. {w — y)^ = n. If 
n is not a square then there exists no integer solution to the equation {E') with 
X = 0. If n is a square then we obviously obtain 



w = y + y/n 



z = X = 



n 

2 



^ n 

— y or w = y- z = x= - 



i/n 



- y 



Y = 0 : In this case the equation {E') becomes = I6n i.e. w — y = 0 with n 
a square. Therefore, we get w = y and 



X = y 

2 ^ 



n Jn n Jn n \ 

2^^4 2^4 2^4 2"4 

X ^0, Y ^0 : Let I6n = 16 Op pVpin) prime factor decomposition of 

I6n. Theorem 22 gives a necessary and sufficient condition for I6n to be the 
sum of two squares : for all integer p = 3 {mod 4) the exponent Vp{n) has to 
be even. Let n = we get = 16n = (4a)^ + (46)^ which yields 

X = 5 = ±4a and F = 4('u; — y) = ±46 where a and 6 play a symetric role. For 
w = y + b, we eventually obtain 



n b a 

^= 2-»-2 + 2 
and for w = y — b 
n b a 

2"^+2+2 



^=2-y-2~2 



n b a 
*= 2 -!'+ 2-2 



n b a 

or z = y 

2^22 



n b a 
^=2-»+2-2 



X = y 

2^2 



n b 
‘^= 2-«+2 



a 

2 

a 

2 

□ 



It is proved in [I] that there exist no perfect autocorrelation quaternary se- 
quences of period 2* with k greater than 4. And it is conjectured in [2] that there 
exists no complex circulant Hadamard matrix of order greater than 16. Our non- 
existence theorems on perfect quaternary sequences complete these well-known 
results. Therefore, it is tempting to express the following conjecture. 



Only perfect periodic quaternary sequences of period 4,8 and 16 exist 



To illustrate this conjecture, we sum up in the following table the non- 
existence of perfect quaternary sequences of period n with n = 0 mod 4 and 
4 < n < 100. The notations used are: 

t : does not exist by theorem 23. 

ffc: does not exist by results in [1] with parameter k. 

? : non-existence conjectured by results in [2]. 

-k : exists by a exhaustive computer search. 



n 


4 


8 


12 


16 


to 

o 


24 


00 


32 


36 


40 


44 


00 


52 


56 


60 


64 


00 


existence 


-k 


k 


t 


k 


7 


t 


t 


t4 


? 


7 


t 


t 


7 


t 


t 


t5 


7 


n 


72 


76 


80 


84 


88 


92 


96 


100 


















existence 


? 


t 


7 


t 


t 


t 


t 


7 
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3 Almost-Perfect Autocorrelation Quaternary Sequences 

We recall that an almost-perfect quaternary sequence has all its “out-of-phase” 
coefficients equal to zero except possibly one. So we begin by a short character- 
isation of this non-zero autocorrelation coefficient. 

Proposition 3.1. The quaternary sequence s = (sj) of period n is almost- 
perfect if and only if n = 0 (mod 2) and all its “out-of-phase” autocorrelation 
coefficients are equal to zero except one which corresponds to a shift equal to half 
of period. 

Proof. The proof is obvious for periodical and symetrical reasons of the auto- 
correlation function. □ 



Theorem 3.1. Let s = (st) be a quaternary sequence of period n. Define Uk = 
tt{t G [o, n — 1 ] I St = k} {k = 0 , 1 , 2 , 3) as the number of occurencies of k in one 
generating vector (so,si,--- ,s„_i) of s. If s is almost-perfect with \ Cs{^) \= c 
then 

no(no - 1 ) + ni(ni - 1 ) + n 2 (u 2 - 1 ) + ^, 3(713 - 1 ) = 2 non 2 + 2nin^ ± c. 

Proof. We proceed similarly as in theorem 21 with the same notations. We obtain 
the same result raisoning on columns, i.e. 

{ No = no(no - 1 ) + ni(ni - 1 ) + 712(712 - 1 ) + 773(773 - 1 ) 

Ni = No = 773773 -I- 77i77o + 772771 -|- 773772 
N2 = 2t7o772 + 2t7i773 

The reasoning on lines is a little different because of the line u = ^ which 
corresponds to the only non-zero autocorrelation coefficient. First, we treat this 
case separately and then continue with the other lines. 

Line u = ^ : 

Let Iq, ^ 1 , 12 and l^ be the number of 0, 1, 2 and 3, respectively, of this line. 

71 

I 2 ^ 1= c I (/o ~ h) + i{h — h) 1= c 

{lo ~ + (^1 ~ 

Let X = lo — h, Y = I 1 — I 3 et Z = c. We get the equation X'^-\-Y'^ = . A result 

on theory numbers (theorem 5.11 in [4]) gives the solutions (called primitive) of 
this equation. 

X = r^ — s^, Y = 2rs, Z = r'^ -\- s'^ with r and s two integers of opposite parity, 
prime each other and r > s > 0 . 

But, if 77 = 2 t77 with 777 odd then c = n — 2 = 2(777 — 1) or c = = 777 —1 

which are both even. 

Moreover, if 77 = 4t 77 then c = 77 — 4 = 4(777 — 1) or c = = 2(777 — 1) which 

are also both even. 

Therefore, c is always even and the equation -\-Y“^ = Z“^ has no solutions. It 
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implies that either r or s is equal to zero and then Y = 0 i.e. l\ = I 3 . 

The equation is reduced to that is lo — h = ±c. First we solve the case 

lo — h = c, the other one can be deduced by symmetry. 

lo — h = c then the two possible choices are Iq = c and I 2 = 0 or Iq = c and 
I 2 ^ 0 . 

If ^2 = 0 then li = l^= else /q = — h and I 2 = — h- 

In conclusion for the line m = ^, the four possibilities are the following : 
lo = c I 2 = 0 h = h = 

^0 = 0 I 2 = c h = h = 

l 0 =H^-hl 2 =^-hh=h 
lo = ^-lll 2 = H^-hll = l3 
Line u yf | : 

We denote by Igo, Igi, lg2 and Igs the number of 0, 1, 2 and 3 respectively of this 
line. 



I Cs{i) 1= 0 I {Igo - lg2) + i{lgi ~ Igs) \= 0 






Igo = lg2 = a 
igi -lgs = b 



avec a + b = 



n 

2 



Let Nk be the total number of elements equal to fc (0 < A: < 3) in the matrix 
without counting the line m = ^ . 

We have two possibilities for the couples (a, &). 

(1) Vi, i yf f 3! (a, 6) I a + 6 = I with a and b ranging in [0 • • • |]. 

In this case, we get Nq = N 2 = {n — 2)a and Ni = N3 = {n — 2)6. 

(2) There exist several couples {aj,bj) such that aj + 6 j = | with an occurency 

In this case we obtain, Nq = N 2 = OjUj and Ni = ojbj where 

J counts the number of couples (aj,bj) with an occurency equal to oj. 



Finally, we sum up the results for the line u = ^ and the other lines with 
Nk = + Nk (0 < /c < 3). 

For the case (1) we have those four possibilities. 



Nq = 


= c + (n 


-2)a 


Nr 


n— 

~ 2 


^ + (n 


- 2)6 




N 2 = 


= 0 + (n 


- 2)a 


Nq 


n— 

~ 2 


^ + (n 


-2)6 




Nq-- 


= 0 + (n 


- 2)a 


Nr 


n— 

~ 2 


^ + (n 


-2)6 




N 2 = 


= c + (n 


-2)a 


Nq 


n— 

~ 2 


^ + (n 


- 2)6 




Nq-- 


n+c 
" 2 




{n — 


2)a 


Nr = 


lr'^ + 


{n 


N 2 = 


n—c 
~ 2 




(n- 


2) a 


+3 = 


lr'^ + 


(n 


Nq-- 


_ n—c 
2 




(n- 


2) a 


Nr = 




(n 


N 2 = 


n+c 
" 2 




(n — 


2)a 


Nq = 




(n 



2)6 

2)6 

2)6 

2)6 
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For the case (2) we have the same equalities replacing (n — 2)a and (n — 2)b 
by ^j^jOjttj and ^j^jOjbj respectively. 

We complete the proof by bringing together the results obtained with the columns 
and those obtained with the lines. □ 

Similarly as in the previous section, if we solve the equation no(no — 1) -I- 
ni{ni — 1) + U 2 (n 2 — 1) -l-n 3 (n 3 — 1) = 2rion2 + 2nin3±c stated in theorem 31. we 
obtain some non-existence conditions on almost-perfect quaternary sequences. 
The following theorem sums up those results. 



Theorem 3.2. Let s = (st) be a quaternary sequence of period n. Define Uk = 
tt{t € [0, n — 1] I St = fc} (k = 0, 1, 2, 3) as the number of occurencies of k in one 
generating vector (so,si,--- ,s„_i) of s. Let \ Cs(^) |= c and ^^6 

prime factor decomposition ofn±c. Lf s is almost-perfect with \ Cs(f) |= c then 

1) n = (ri 3 — ni)^ and n±c is a square and n ± c = 0 (mod 4) with 

ns = ni y/n ± c n -2 = Uq = f — — m 

or 

ns = ni — \/n ± c n -2 = no = f + — m 



2) ns = ni and n ± c zs a square and n ± c = 0 (mod 16) with 
ns = ni U2 = I - ni -I- no = f - ni 



ns = ni 



4 

or 

v/n±c 



no = f - ni -I- 



■s/n±c 

4 

v/n±c 



3) ni yf ns and n yf {ns — ni)^ with for all integers p = 3 {mod 4) the exponent 
Vp{n ± c) is even and n ± c = of where a and b are even with 



ns = ni b n2 = f — ni — ^ -I- 



b 

2 

or 



ns = ni-\- b n 2 = f — ni — I — I 



no — 2 ni 2 2 

^ n „ b \ a 

TIq — 2 2 ' 2 



and 



b 

2 

or 



ns = ni-b n 2 = f-ni-|-| + | no = f-ni-|-|-f 



ns = ni- b n 2 = f-ni-|-|-f no = f-ni-|-| + f 



Proof. We proceed similarly as in theorem 23 with the same notations and using 
theorem 31, however considering n ± c instead of n in all equations. 



□ 



4 Conclusion 

Perfect and almost-perfect periodic quaternary sequences have been the topic 
of many papers because they are useful in multiple access communications sys- 
tems. We have presented some new general non-existence theorems about those 
sequences. In the perfect case, we have been tempted to conjecture that the only 
such periodic quaternary sequences of period 4, 8 and 16 exist. 




218 



Patrice Parraud 



References 

1. H. Chung and P.V. Kumar - A new general construction for generalized bent func- 
tions - IEEE Trans. Inform. Theory, 35 : 206-209, 1989. 

2. K.T. Arasu and W. Launey and S.L. Ma - On circulant Hadamard matrices - to 
appear in Designs, Codes and Cryptography”. 

3. J. WOLFMANN - Almost perfect autocorrelation sequences - IEEE Trans. Inform. 
Theory, 38 : 1412-1418, 1992. 

4. I. Niven and H.S. Zuckerman - The theory of numbers - John Wiley and Sons, 
1980 (4th edition). 

5. P. Samuel - Theorie algebrique des nombres - Hermann, 1971 (2nd edition). 




Maximal Periods of + c in 



A. Peinado^*, F. Montoya^, J. Munoz^, and A.J. Yuste^ 

^ Dpto. Ingenieria de Comunicaciones, E.T.S. Ingenieria de Comunicaciones 
Universidad de Malaga, Campus de Teatinos - 29071 Malaga, Spain 
^ Dpto. de Tratamiento de la Informacion y Codificacion 
Institute de Fisica Aplicada (CSIC), C/ Serrano 144, 28006-Madrid, Spain 
® Dpto. Electronica, Universidad de Jaen 
C/ Alfonso X, 28 - 23700 Linares, Jaen, Spain 



Abstract. The orbits produced by the iterations of the mapping x i— > 
+ c, defined over Fg, are studied. Several upper bounds for their pe- 
riods are obtained, depending on the coefficient c and the number of 
elements q. 

Keywords: Pseudorandom sequence generation, stream ciphers, Pollard 
generator. 



1 Introduction 

Quadratic functions are widely used in Cryptography, defining a great variety 
of systems [2], [11], [13]. In particular, quadratic functions are used to generate 
pseudorandom sequences, by means of the iterations of the mapping x , 

defined over hpq, with p, q two distinct odd prime numbers. Many works exist 
focusing on this topic (see [2], [3], [5], [9]). 

However, the mapping x is not representative of every quadratic map- 

ping. Hence, none of these results are applicable to the mapping x x"^ + c, 
with c yf 0. This mapping is the basis of the Pollard’s rho method [12] for integer 
factorization, which makes use of the orbital structure (tails and cycles) of the 
functions /c: Zp — >■ Zp, fc{x) = x"^ + c. In this work, the orbits of the functions 
fc-^q — >■ IFq, fc{x) = -b c are analysed and several upper bounds for cycle 
lengths are obtained, depending on the coefficient c and the number of elements 
(j = p" = #Fg, p being an odd prime. 

In Section 2, several concepts on functions iteration and quadratic functions 
are introduced. Section 3 presents the general aspects of the orbital structure 
of X i-l x^ -b c, and Section 4 shows the theoretical results about cycle length 
upper bounds. Finally, Section 5 deals with some experimental results on the 
cycle length of this function. 
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2 Notations and Preliminaries 

Let O{xo) = {/"(xq) I n G N} be the /-orbit of an element Xq G F^, with respect 
to an arbitrary function /: — >■ Fg, where /" denotes the n-th iteration of /, 

or even O{xo) = {xq, xi, . . . , x„_i, . . .}> Xn = /(x„_i). Let h = h{x) be the 

least positive integer for which an integer k exists such that: i) 0 < k < h, and 
ii) Xk = Xfi- The set of elements xq,xi, . . . ,Xk-i is called the “tail” T(xq) of 
the orbit, the set of elements Xk, Xk+i, ■■■, Xh-i is called the “cycle” C(xo) of the 
orbit, and l{xo) = lf{xo) = h — k is the length or period of the cycle (cf. [5], [10, 

XII]). 

Every polynomial p( AT) G F[X] induces, by evaluation, a polynomial function 
p: F — >■ F. Proceeding by recurrence on n G N, we define p^(X) to be the 
polynomial obtained by substituting p(X) for X in p^~^(X). 

Hence, a quadratic polynomial p(X) = aX^ + bX -I- c G Fg[Ai] is linearly 
conjugated (e.g., see [6]) to a quadratic polynomial q{X) of the form q{X) = X^+ 
k G Fq[Ai] (cf. [5]). This relationship allows to simplify the study of quadratic 
functions, reducing the number of non-vanishing coefficients. 

The simplest case of study corresponds to fc = 0, defining the mapping / as 
/: Zp — >■ Zp, f{x) = x^. The orbits of this function are completely characterized 
in [5], where the prime numbers producing cycles of maximal length (p — 3)/8, 
are identified. 

We consider now the case k ^ 0, defining the mapping fc as fc - F^ — >• F^; 
/c(x) = x^ -I- c, c G F*. The following result shows the impossibility to apply the 
previous results (fc = 0) to /c. Figure 1 illustrates this fact. 

Proposition 1. The function f is not linearly conjugated to fc, for any c G F*. 

Proof. The proof is based on the orbital structure of both functions / and fc- In 
both cases, there exists a unique element with only one predecessor, z. e., x = 0 
for the function /, and x = c, for the function fc- Suppose / is conjugated to fc 
by means of a permutation polynomial p. Then p(0) = c. However, x = 0 is an 
invariant element of /, while c is not in fc, leading us to a contradiction. 



3 Orbits o^ x ^ c 

In this section, general aspects on the orbital structure of fc are introduced. First, 
the number of predecessors and succesors of every element x G Fg is obtained in 
the following proposition. 

Proposition 2. Let fc he the mapping defined by /c: Fg — >• Fg, /c(x) = x“^ + c, 
with c G F*. Then, every element x G Fg has a unique succesor /(x) and, 

1. has two predecessors (anti-images) if and only ifx — c is a quadratic residue. 

2. has no predecessor (anti-image) if and only ifx — cis not a quadratic residue. 

3. has one predecessor (anti-image) if and only if x — c = 0. 

Proof. It follows directly from the definition of fc. 
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Fig. 1. Orbital spaces of a; a:^ + c, for every c € Z*,with p = 11. 



In other words, the element x = c has only one predecessor, but any other 
element has either two or none predecessors. Unlike the case of function /, the 
element with only one predecessor (x = c) is not invariant (/(x) = x). Thus, the 
maximal cycle length is bounded by (q+ l)/2, as there exist (g — l)/2 quadratic 
residues. This fact is equivalent to compute the cardinality of /c[Fg], which is 
#fc[Vq] = (g + l)/2, since fc(x) = fc{-x). 

In order to compute the maximal length of the cycles, the following proposi- 
tions state the conditions for the existence of cycles of length 1 and 2. 

Proposition 3. Let fc be the mapping defined by fc'-^q ^ Fg; fc{x) = x^ + c, 
with c S F* . Then, 

1. only one eycle of length 1 exists, if and only ifc= 

2. two eyeles of length 1 exist, if and only if 1 — 4c is a quadratic residue. 
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Proof. It follows directly from the equation /c(x) = x, defining the cycles of 
length 1, and the expresion of the roots of a quadratic equation. 

Proposition 4. Let fc be the mapping defined as /c: — >■ Fg, fc{x) = x'^ + c 

with c G F*. Then, a eycle of length 2 exists if and only if 1 — 4(c +1) is a 
quadratic residue. 

Proof. Cycles of length 2 are defined by P{x) = x, and, therefore, by the equa- 
tion x'^ + 2cx^ — a: -I- -I- c = 0. Since f{x) — x divides P{x) — x, we have 

x'^ + 2cx^ — x + (? + c = {x^ — X + c) {x^ -I- cc -I- c -I- l) . 

Since the equation — x + c = Q defines the cycles of length 1, the only cycle 
of length 2 is defined by -I- x -I- c -I- 1 = 0, which has two distinct roots if and 
only if 1 — 4(c -|- 1) is a quadratic residue. 



Remark 1. When only one cycle of length 1 exists, i.e., c = |, it can be proved 
that another cycle of length 2 exists if and only if —1 is a quadratic residue. On 
the other hand, when 1 — 4(c-|- 1) = 0, it can also be proved that cycles of length 
2 do not exist, thus producing cycles of lentgh 1. 

4 Cycle Length Upper Bounds 

A theoretical upper bound for cycle lengths of the function is stated in the 
following theorems. We denote lq{c) the maximum cycle length of the function 
fc, that is, lq{c) = maxa,6F,(^/e(a;))- 

Theorem 1. Let fc he the mapping defined as /c: F^ — >■ F,, fc{x) = + c, 

with c G F*, p > 9. Then, if —1 is not a quadratic residue, the cycle length lq{c) 
of the function fc is 

1. lq{c) < {3q + 3) /8, if {q — 3) / 4: is odd. 

2. lq{c) < {3q — 1) /8, if {q — 3) /4 is even and —2c is a quadratic residue. 

3. lq{c) < {3q + 7) /8, if {q — 3) /4 is even and —2c is not a quadratic residue. 

Theorem 2. Let fc he the mapping defined as fc'-^q ^ F,, fc{x) = x'^ + c, 
with c G F*, p > 9. Then, if —1 is a quadratic residue, the cycle length lq{c) of 
the function fc is 

1. lq{c) < {3q + 5) /8, if {q — 1) /4 is even. 

2. lq{c) < {3q + 1) /8, if {q — 1) /4 is odd and —2c is a quadratic residue. 

3. lq{c) < {3q + 9) /8, if {q — 1) /4 is odd and —2c is not a quadratic residue. 

In order to prove these theorems, we need the following previous results. 

Lemma 1. Let¥q[i] = {a + bi | a, 6 G Fg}, = —1. Consider the norm function 
N : Fg[i] — >■ Fg, N{a + hi) = + b^. Then, we have 




223 



Maximal Periods of + c in F, 

(a) If —I is a quadratic residue in then there are exactly 2q — 1 elements 

a + bi € ¥q [i] satisfying = 0 and there are exactly — 1 elements 

a + bi €¥g [f] satisfying of + b’^ = c for each c G F* . 

(b) If —1 is not a quadratic residue in F^, then there are exactly 1 element 
a + bi € ¥q [i] satisfying + b^ = 0 and there are exactly < 7+1 elements 
a + bi €¥g [f] satisfying of + b^ = c for each c G F* 

Proof, (a) If —1 is a quadratic residue in F^, say — 1 = then there is a ring 
isomorphism <f>\ Fg[z] — F^ xFg, given by (j){a+bi) = (u,v) = (a+bj,a — bj), and 
the equation + 6^ = 0 is equivalent to the following: uv = 0, whose solutions 
are (0,0); (u,0), u yf 0; (0,u), u yf 0. Similarly, the equation + 6^ = c, c yf 0, 
becomes uv = c, whose solutions are (u,c/u), with m yf 0, thus proving the first 
part of the statement. 

(b) If —1 is not a quadratic residue in F^, then + 6^ = 0 with o yf 0, implies 
(b/a)'^ = —1, thus contradicting the asumption. Hence a = 0, and similarly 6=0. 
Moreover, in this case, Fg[t] is a (finite) field. In fact, since N{xy) = N{x)N{y), 
the relation xy = 0 in Fq[z] implies N{x)N{y) = 0, so that N{x) = 0 or N{y) = 0 
and this implies a; = 0 or y = 0, due to the assumption that —1 is not a quadratic 
residue in F^. Accordingly, the norm induces a group homomorphism N : Fg[z]* = 
{a + 6z yf 0} — >■ F*, which is surjective. In fact, given an element c G F,, the 
number of elements of the mapping ct: F^ — >• F^, a{a) = c — a^, is {q + l)/2. As 
the number of elements of the set Q = {6^ | 6 G F^} is also (< 7 + 1) /2, we conclude 
that (ima) fl Q is not empty. We conclude that every c G F* can be written in 
the form + 6^ = c and the number of elements a + bi G ¥g [z] satisfying this 
condition is exactly equal to ffkerN = ff¥ g[i]* / ff¥* = {q^ — l)/{q— 1) = q+l. 

Proposition 5. For every c G F*, p > 9, */— 1 is not a quadratic residue, we 
have 

1. If {q — 3) /4 is odd, then there exist {q + 1) /8 different pairs (a;^, z/^), such 
that c= x'^ + y"^, with yf 

2. If {q — 3) /4 is even and c is a quadratic residue, then there exist (y + 5) /8 
different pairs (x^, y^) , such that c = x"^ + y^ , with x^ ^ y^ ■ 

3. If{q—3)/4 is even and c is not a quadratic residue, then there exist (y — 3) /8 
different pairs (x^, y^), such that c = x“^ + y^, with x“^ y^ y^. 

Proof. From Lemma 1 we have q+l elements a+6z G Fq[z] satisfying the equation 
+ 6^ = c, for each c G F*. 

Suppose that c = 6^ is a quadratic residue. Hence the pair (O, 6^) is trivially a 
solution, which can be obtained from four distinct pairs (0, ±6), (±6, 0). Since the 
elements a + 6z, a — bi, —a + bi, and —a — bi produce the same pair {af,b^^, there 
only exist {{q + 1) — 4)/4 = (y — 3)/4 pairs {of, 6^) with a? yf 0, 6^ yf 0. satisfying 
the equation + 6^ = c. 

If (y — 3) /4 is even, then the pair (a^,a^) is not a solution. In fact, if the 
pair (a^,6^) is a solution, then (6^,a^) is also a solution, and the total number 
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of pairs is even. Hence, if we take (a^, 6^) but not (6^, a^), and take the solution 
(O, 6^), the number of distinct pairs satisfying the equation + 6^ = c is 



(g- 3) 1 ^ ^ g + 5 

4 2 8 



If {q — 3) /4 is odd, then it is clear that the pair (a^, a^) is a solution. If we 
apply the restriction imposed in the proposition {x^ ^ y'^), this solution is not 
valid. Hence, the number of distinct pairs satisfying the equation + &^ = c is 



(g-3) 

4 





g+1 

8 



Now, we assume that c is not a quadratic residue. Then there are (g + 1) /4 
pairs (a^, 6^) with yf 0, yf 0 satisfying the equation. + 6^ = c. If {q + I) /4 
is even, the pair (a^, a^) is not a solution since = 2a^ = c leads us to a 

contradiction. Hence, considering the pair but not the number 

of distinct pairs satisfying the equation + 6^ = c is 

/ (g+l) \ 1 g+1 

I 4 / 2 8 ■ 



If {q+ 1) /4 is odd, then the pair (a^,a^) is a solution If we apply the re- 
striction imposed in the proposition y^ this solution is not valid. Hence, 

considering the pair (a^, 6^) but not (6^, a^), the number of distinct pairs satis- 
fying the equation -I- = c is 

f (g+1) _ 1 ^ g- 3 

I 4 / 2 8 ■ 



We conclude taking into account that {q — 3) /4 = (g -|- 1) /4 -|- 1 (mod 2). 



Proposition 6. For every c € F*, p > 9, if —1 is a quadratic residue, we have 

1. If {q — 1) /4 is even, then {q — 1) /8 different pairs {x^ , y^), such that c = 

-I- with x'^ yf y^- 

2. If{q — 1) /4 is odd and c is a quadratic residue, then {q + 3) /8 different pairs 
(x^,y^), such that c = x"^ + y"^, with yf y^. 

3. // (g — 1) /4 is odd and c is not a quadratic residue, then (g — 5) /8 different 
pairs (x^, y^), such that c = x^ + y^, with x^ yf y^- 

Proof. From Lemma 1 we have g— 1 elements a+bi G Fg[z] satisfying the equation 
= c, for each c G F*. 

Suppose that c = 6^ is a quadratic residue. Hence the pair (O, 6^) is trivially a 
solution, which can be obtained from four distinct pairs (0, ±6), (±&, 0). Since the 
elements a + bi, a — bi, —a + bi, and —a — bi produce the same pair {af,b^^, there 
only exist ((g — 1) — 4)/4 = (g — 5)/4 pairs {of, 6^) with of yf 0, 6^ yf 0. satisfying 
the equation + 1"^ = c. 
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If {q — 5) /4 is even, then the pair (a^, o^) is not a solution. In fact, if the 
pair (a^,6^) is a solution, then (6^,a^) is also a solution, and the total number 
of pairs is even. Hence, if we take (a^, 6^) but not (&^, a^), and take the solution 
(O, 6^), the number of distinct pairs satisfying the equation + 6^ = c is 



(g- 5) 1 ^ ^ g + 3 

4 2 8 ■ 

If {q — 5) /4 is odd, then it is clear that the pair (a^, a^) is a solution. If we 
apply the restriction imposed in the proposition ^ y'^), this solution is not 
valid. Hence, the number of distinct pairs satisfying the equation + &^ = c is 



(g-5) 

4 





g-1 



8 



Now we assume that c is not a quadratic residue. Then there are {q — 1) /A 
pairs with yf 0, yf 0 satisfying the equation. + 6^ = c. If {q — I) /4 

is even then the pair (a^,a^) is not a solution since = 2a^ = c leads 

us to a contradiction. Hence, considering the pair but not the 

number of distinct pairs satisfying the equation + 6^ = c is 

/ (g-l) \ 1 g-1 

I 4 / 2 8 ■ 



If {q— I) /4 is odd, then the pair (o^,o^) is a solution. If we apply the 
restriction impossed in the proposition yf y'^), this solution is not valid. 
Hence, considering the pair (a^,6^) but not (6^,a^), the number of distinct 
pairs satisfying the equation + &^ = c is 

/ (g-1) A 1 g-5 

I 4 12 8 ■ 



We conclude taking into account that {q — 5) /4 = (g — 1) /4 + 1 (mod 2). 

Proof of theorems 1 and 2. Since /c(a;) = fc{—x) = + c, the cardinality 

of /c[Fq] is #/c[Fg] = (g+ 1) /2. On the other hand, the number of elements 
y G /c[Fq] such that —y £ fcWq], can be computed solving the following system 
of equations 



y = xl + c 
-y = xl + c 

By adding the two equations, we have = —2c, with yf X 2 - The 

cardinality of f^Wq] can be computed as fffcWq] = fffcWq] ~ where Nc is 
the number of pairs (a;^,a;|), satisfying the equation xf + X 2 = —2c. Hence, we 
can conclude by substituing the values of Nc stated in propositions 5 and 6. 
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5 Experimental Results 

Numerous computations have been carried out to check the validity of the theo- 
retical results, and how far is the previous upper bound to the real maximal cycle 
length. Most of these results are concerned with Zp, although similar results are 
obtained for Fg, g = p", with n > 1. 

As it can be observed in figure 2, the bound in theorem 1 is reached for small 
prime numbers. However, for p > 83 the bound observed in the figure is far from 
the real value. More precisely, the maximal lengths Ip (c) in the figure are 

— Ip (c) < (p — 1) /4, if p = 1 (mod 4) . 

— Ip (c) < (p — 3) /4, if p = 3 (mod 4) . 




Fig. 2. Theoretical upper bound vs real maximal length, for 7 < p < 3583. 



Note that this experimental bound implies lim L (c) /p < 1/4 = 0.25, unlike 

p—^oo 

the theoretical bound which implies lim L{c) /p < 3/8 = 0.375. Taking into 

account that the theoretical bound is obtained by computing the cardinality of 
//[Zp], one could expect an aproximation between theoretical and real bounds 




227 



Maximal Periods of + c in F, 

by computing the succesives cardinalities of f^[hp], for i > 2. However, this 
approach is not valid in general terms because fc acts as a permutation over 
fcl^p] for certain values of p and c, such as, c = —2 when 2 is not a quadratic 
residue in Zp. In any case, the experimental results obtained computing 
point out that #/,f[Zp] is very close to 0.25p, in many cases. 

Considering the prime numbers p > 83, the following remarks can be sum- 
marized. 

Remark 2. As it is known from [5], when p is a 2-safe prime (p = 2p' -|- 1, 
p' = 2p" + 1, with p,p' ,p" distinct odd prime numbers), then the maximal cycle 
length of the function / is (p — 3) t/2, where t = In this case, 

the maximal cycle length of the function fc is (p — 3) /4 for c = —2. 

Remark 3. If p = 1 (mod 4), and fc has a maximal cycle length of (p — 1) /4, 
then the maximal length of / is always less than (p — 1) /4. 

Remark 4. If p is a Fermat prime (p = 2^ -I- I), then the maximal length of / 
is 1 [5]. Hence, the maximal length of fc is greater than that of /. 

Remark 5. If p is a Mersenne prime (p = 2" — 1), then the maximal length of / 
is n — 1 [5]. Hence, this length is easily exceeded by the maximal length of fc, 
as it can be checked. 
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Abstract. We define Gauss-like sums over the Galois Ring GR(4, r) 
and bound them using the Cauchy-Schwarz inequality. These sums are 
then used to obtain an upper bound on the aperiodic correlation function 
of quadriphase m-sequences constructed from GR(4, r). 

Our first bound has a simple derivation and is better than the previous 
upper bound of Shanbag et. al. for small values of N. We then make use 
of a result of Shanbag et. al. to improve our bound which gives rise to a 
bound Simproved which is better than the bound of Shanbag et. al. 
These results can be used as a benchmark while searching for the best 
phases — termed auto-optimal phases — of such quadriphase sequences for 
use in spread spectrum communication systems. The bounds can also be 
applied to many other classes of non binary sequences. 

Index Terms: Galois Rings, Quadriphase sequences. Aperiodic correla- 
tions, Gauss sums over Galois rings 



1 Introduction and Motivation 

The design of sequences for Code Division Multiple Access (CDMA) communi- 
cations has been a topic of interest over the last 50 years, starting in the arena 
of military communications — where the term spread spectrum originated since 
the emphasis then was on spreading the spectrum to ‘hide’ the transmissions 
from conventional narrow band receivers or wideband receivers not having ac- 
cess to the correct spreading sequence. Starting in the late 1980s and continuing 
in the 1990s, the development of mass market public digital cellular radio sys- 
tems based on CDMA has led to a large increase research activity on all topics 
related to CDMA. Here we only concentrate on the sequence design aspect and 
focus on one particular figure of merit for CDMA based systems, the maximum 
aperiodic correlation. Other figures of merit include periodic correlation, partial 
period correlation, odd correlation and mean-square correlation. For an exten- 
sive discussion of these and other issues in CDMA sequence design we refer the 
reader to the extensive survey article by Helleseth and Kumar in [5]. We are 
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thus content to provide a brief overview of the reason for being interested in 
aperiodic correlation of sequences. 

For single sequences — as opposed to sequence families — used in pulse com- 
pression radar applications, the aperiodic auto-correlation of the sequence, and 
specifically its maximum off peak magnitude, provides an obvious figure of merit. 
For CDMA applications, the aperiodic correlation plays a different role of inter- 
est. It contributes an additive term to the multiuser interference to which any 
user is subjected from other users utilizing the same bandwidth. Hence the in- 
terest in bounding the aperiodic correlation. 

2 Galois Rings and Sequences 

In this paper we give an upper bound on the aperiodic correlation function of 
polyphase sequences constructed from the Galois ring GR(p^,r) where is a 
power of a prime and r is a positive integer. Our result is along the lines of a sim- 
ilar result proved in [6] for binary m-sequences. To obtain this result, we consider 
Gauss-like sum over GR(p^,r) — which are essentially Fourier transforms — and 
bound these sums from above using the Cauchy-Schwartz inequality. 

2.1 Definitions 

Let q = , where p is a prime and A: > 2 is a positive integer. We define q — ary 

polyphase sequences using a mapping 77 from to the field of complex numbers 

which is given by 77 : a i— >■ with u> = e Clearly 77 maps each symbol 

of Zq to a complex root of unity. 

Hence corresponding to a sequence M = (jrii : 0 < f < A^) over Zq, we can 
define a, q — ary polyphase sequence S given by 

S' = (77(TOi) = : 0<i<iV). (1) 

The exponential sum — or the correlation transform — of the sequence S is 
then defined as 

Af-l 

9{S)=Y^co^K (2) 

i=0 

For the rest of the paper we consider sequences of length N exclusively and omit 
the N from equations wherever convenient. 

The aperiodic crosscorrelation function C'i_2(0 for two polyphase sequences 
S^ and S^ derived from Zq sequences A7^ = {m}) and = (mf) respectively 
is defined as 

' E*=o^”' 0 < 1 < TV - 1 

Cl, 2(0 = 1 - TV < T < 0 (3) 



0 



1^1 > TV. 
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Note that 



Ci,i(0) = C2,2(0) = N and that = Ci,2(-0- (4) 

The periodic crosscorrelation function 0i,2(-) for and is defined as 

N-l 

6»i^ 2(0 = XI foralU. (5) 

1=0 

Note that 1^14(0) = 02,2(0) = N and 0i,2(O = ^2,i(~0 = ^i,2(^ + — where 

z* denotes the complex conjugate of z — since the period of the sequences is N. 
Also, 

01,2(0 = <f^i,2(0 + -N), 0<1<N-1. 

The above equations illustrate the close relationship between the periodic and 
the aperiodic correlations. For more details on this relationship and its impact on 
performance, see the above referenced chapter in [5] and the references therein. 

2.2 Galois Ring Sequences 

Galois rings are the generalizations of Galois fields and have been used widely 
in the past decade to construct various optimal families of q-aiy polyphase se- 
quences [1,9,10,8,3,4,7]. For details on Galois rings we refer the reader to [1,9,10]. 
Here, we remark that the Galois ring GR(p^,r), r > 1, is a Galois extension of 
Zpk, the ring of integers modulo p^, and is isomorphic to the ring Zpk[x]/{f{x)) 
where f{x) € Zpk[x] is called a monic basic irreducible polynomial of degree r. 
Let pi : Zpk — >■ Zp = GF(p) be the {modulo p) projection map and extend this 
map to polynomials over Zpk in the natural way. Then, f{x) is a monic basic 
irreducible polynomial in Zpk[x\ if fj,{f{x)) is a monic irreducible polynomial in 
Zp[x], 

Let a € GR(p^,r) be primitive (i.e., an element of multiplicative order 
N = p^ — 1). Without loss of generality a can be taken as one of the roots of 
fix). 

Then it is natural to define a Galois ring m-sequence M'' associated with a 
unit V G GR(»^,r) by using the Galois ring trace function Tr(.) defined from 
GR(/,r) to Zpk as 

M'' = {M’') = {Tr{va^) : 0 < i < fV), 
where N = p^ — 1. The cyclically distinct m-sequences are given by the set 

fe-i 

{MP}U{M" : + %gT}, 

i=i 

where T is the Teichmuller set of the Galois ring GR(p^,r). T contains all the 
powers of the of primitive element a and the zero element, i.e.. 
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This set shares many properties of finite fields. Its nonzero elements are gener- 
ated by a and it is closed under multiplication. However, it is not closed under 
addition. Note that the sequence is isomorphic to a GF(p) m-sequence. 
Hence there are — l)/(p’’ — 1) cyclically distinct m-sequences over Zp. 

2.3 Gauss Sums of Sequences over Zph 

We are concerned with deriving upper bounds on the aperiodic correlation of 
the TO-sequences M'' over Z 4 . We follow the method adopted by Sarwate [ 6 ] 
to derive the bound. In the process we require a bound on Gauss like sums or 
Fourier transform values of these sequences. Let = exp{2ny/^^/N) be a 
complex primitive root of unity. Then the Gauss sum or Fourier transform 
S = (Sc) of an arbitrary g— ary polyphase sequence S = (Si) = 7T(M) = (re’”*) 
is defined as 

Af-l 

0<c<N. 

i^O 

The values Sc are referred to as the Fourier transform values and they are related 
to the polyphase sequence symbols by the inverse Fourier transform 

A^-l 

Si = N~^ Sc n 0<i<N. 

c^O 

We are now ready to proceed to the proof of the main result of this paper. 

3 A Simple Bound on Aperiodic Correlations 
of Quadriphase m— Sequences 

In this section we will consider only quadriphase sequences derived from m— se- 
quences over Z 4 . Let a € GR(4,r), r a positive integer, be a primitive element 
of the multiplicative order IV = 2’’ — 1. The Teichmuller set T of the Galois ring 
GR(4,r) is defined as explained in the previous section. The cyclically distinct 
quadriphase m-sequences of length N are given by the set 

{7T(M")} = {(u;^’'(2aL)}u{(u;^"("“b) : = 1 + 2z>, z> G T}. 



3.1 Derivation of the Bound 

Note that S'^ is a biphase m-sequence and it is well known that takes the 
value of y/N + 1 when c yf 0 and takes the value of —1 when c = 0 [6,2]. The 
proof uses the fact that all the phases of binary a m-sequence form an Abelian 
group under pointwise addition. When v G T, this is not true, and hence we 
cannot easily bound the transform values. When c = 0, S'q is simply the sum of 
all quadriphase symbols in 5"^. This value has a magnitude « \/N + 1 [1,9,10]. 
To bound the rest of the values we use the Gauchy-Schwartz inequality: 
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Lemma 1. IfV is a real or complex inner product space, then, for all x,y € V , 

\<x,y>\< ||x|| ||y||, 

where 1 1 • 1 1 denotes the norm of the space which is obtained from the inner 
product < , > defined on V via ||a;|| = ^/<Cxfx~^. Equality holds if and only 

if one of the vectors x,y is a scalar multiple of the other. 

By utilizing the Cauchy-Schwarz inequality we prove the following result. 

Theorem 1. The squared magnitudes of the Fourier coefficients of satisfy 
the following inequality 

<iV(l + l<k<N. 



Proof. 



N-l N-l 

i—Q m—0 



N-l N-l 
i—O m—0 

By making the transformation {i — m) = r, 



N-l 



T—0 



where 6{N — r) is the {N — autocorrelation of S'' . 

Then 

JV-l 

= 0(0) - 0(1) + 0(1) + ^ 0(1V - r) 1? y, (6) 

r=l 

It has been shown in [1,9,10], that |0(r)| is given by 

( N, 1 = 0 modulo N 

m)\ = { ( 7 ) 

[ \/N + 1, otherwise. 

Also = 1, and after using Lemma 1 to bound the last term in (6), we 
have 

<N- VnTI + ^/N{N+l)y/N 



which proves the theorem. 



< n{i + Vn + i) 
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By using the actual values of 0{i) we can improve the bound slightly. As in [6], 
we need some results on the following exponential sums. For any integer c, let 
c) = J2k=o~'^ 0 < ^ < — 1. Then define [6] as 

Af-l 

C^l 

We have the following lemma proved in [6] using a method given by Vinogradov 
[11]. 

Lemma 2. [6, Lemma 1] Fi^n < (2/tt) ln(47V/7r), for 0 < I < N — 1 
In [6] it is also shown that for N > 6, the above bound can be improved to 

ri,AT < (2/7r)ln(4e’"/3^/37r) (8) 

which reduces the constant in the argument of the logarithm from 1.273.. to 
1.209. 

Let A{iyi, 1/2,1, c) denote the cross ambiguity function of two m-sequences 
and where 

N-l 

A{vi,v 2 ,l,c) = ~^i+‘ L2]^,0<c<N. (9) 

i=0 

By using Theorem 1 we prove the following lemma. 

Lemma 3. For c yf 0 and either vi yf 1 / 2 , any I or vi = V 2 ,l ^ 0 modulo N, 

\A{i/i,u 2 ,l,c)\ = ^Jn{1 + VN+1). 

Proof. We use the fact that m-sequences are closed under pointwise addition 
or subtraction. Then A{i'i, 1 / 2 , 1, c) is equal to the Gauss sum of an appropriate 
m-sequence. The result then follows from Theorem 1. 

We now give the upper bound on the aperiodic crosscorrelation function 
magnitudes by making use of Lemmas 3 ,2 on the lines of the proof given in [6]. 

Theorem 2. |Ci,2(0l < + 1) + N{1 + \/fVTT) ln(4e’^/3^/37r), 

for I yf 0 

Proof. In view of (3) and (4) it is sufficient to show the result for 1 < I < N — 1. 
Consider the sum 






E N — 1 — 1 

c=0 l^i=0 ^ 

E N — I — 1 -^-^N — 1 
k—0 2^i—0 






— I — 1 
Z^k—0 









U! 






— kc 



c 



( 10 ) 



N Cl, 2(0, 
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since the inner most sum has value 0 when i ^ k and a value of N when i = k. 
On the other hand the sum can also be written as 



= 1, 0 ) + Y.cJi ^{^1:^2, 1, c) r*^ ( 11 ) 

= {N - 1)^{N + 1) + A{i2u 122 , 1, c) r*^, l^0{ modulo N). 

The function A{iyi,i>2,l,0) is the exponential sum of an m-sequence whose 
value is shown to be equal to a/(A^ + 1) [1,9,10]. By combining equations (11), 
(10) and (8) with Lemma 2, we get the result. 



3.2 An Improved Bound 

We note that our bound in Theorem 2 can be applied to any set of polyphase 
sequences provided we have bounds for the Gauss and exponential sums. Here 
make use of a Gauss sum bound given in [7] for a class of Galois ring sequences. 
The bound depends on a quantity called the weighted degree of the polynomial 
representing the sequences. Let f{x) ba a polynomial over GR(p^,r) with the 
p-adic expansion 



f{x)=Fo{x)+pFi{x)^ ^Fk-i{x), 

where Fi{x) G F[x\,Q < i < k — 1 which can be obtained from the p-adic 
expansion of the coefficients of /(.). Further, we assume that / is nondegenerate, 
by this we mean that / satisfies the following conditions: 

1 . /( 0 ) = 0 , 

2- / 7^ 0 {modulo p) and 

3. no monomial term in f{x) has degree that is multiple of p. 

Let dj be the degree of F) (x), 0 < j < fc — 1. Then the weighted degree of D 
of f{x) is defined as 



D = max{p^ ^ do,p'^ ^ di, • • • , dfc_i} 

By making use of a nondegenerate polynomial / of degree d, many families of 
optimal polyphase sequences have been defined and studied in [3,7]. Let a be a 
primitive element of order fV = p’’ — 1 in GR(p^, r). Then a sequence associated 
with a unit u G GR(p^, r) and a nondegenerate polynomial / of weighted degree 
D is given by 

M'' = {M'^) = {Tr{f{va^)) : 0 < t < iV). (12) 

Note that when f{x) = x, the weighted degree is p^~^ and the sequences are 
m-sequences. 
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Theorem 3. [7, Theorem 2] Let f{x) be a nondegenerate polynomial with 
weighted degree D, Then we have for the Gauss sums of sequences in (12), 

< D ViVTl, l<k<N. 



Theorem 4. [3, Theorem 1] Let f{x) he a nondegenerate polynomial with 
weighted degree D. Then we have for the exponential sums of sequences in (12), 

0{S) <{D-1) ^/NTl. 

Note that when D = 2,p = 2, k = 2, the above bound is better than the bound 
in Lemma 3. If we apply the above two bounds to our aperiodic crosscorrelation 
bound in Theorem 2, we get the following modified bound 

Theorem 5. |Ci,2(0l < {D - 1)7]VTT + (2/7r)i:>y]VTT ln(4e’^/3fV/37r), for 
ly^O 

Proof. The proof runs exactly similar to the proof in Theorem 2 and we use the 
Gauss and exponential sums in Theorems 3 and 4. 

For quadriphase sequences, D = 2, and the improved bound then becomes: 

|Ci,2(0l < V^vTI + (4/7r)yFTI \n{Ae^/^N/‘i'K), for I ^ 0. (13) 

Clearly the above bound depends on the bound in Theorem 1 and any improve- 
ment must come from an improvement to Theorem 1 which is left as an open 
problem. 

4 Conclusions and Comparison of Bounds 

In [7], sophisticated techniques are used to obtain an upper bound on the ape- 
riodic correlation function of certain Galois Ring sequences. This bound again 
depends on the weighted degree of the polynomial representing the sequences. 
Here, we are interested in comparing this bound with our result in Theorems 2 
and 5. 

The aperiodic crosscorrelation bound in [7] is given by 

|Ci,2(0l < D^/N + \{\nN + 1), (14) 

where D is the weighted degree mentioned above. For m-sequences over Z 4 , the 
weighted D is 2, thus 



|Ci,2(0l <2yFTI(lnAf+l). 



The Table 1 gives comparison of various bounds for quadriphase m-sequences. 
Our improved bound in (13) is better than the bound in [7]. Note that from the 
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Table 1. Comparison of Aperiodic correlation bounds for Quadriphase m-sequences 



N 


Bound of 
Theorem2 
Si 


Bound in 

[7] 

^ Shanbhag 


Improved bound in 
Theorem^ 

Simproved 


Ratio 

^improved 


^ Shanbhag 


7 


9.87 


17.42 


10.52 


0.604 


15 


19.98 


30.18 


18.76 


0.622 


31 


38.80 


50.52 


31.76 


0.629 


63 


73.69 


82.54 


52.14 


0.632 


127 


138.05 


132.42 


83.83 


0.633 


255 


256.23 


209.45 


132.76 


0.634 


511 


472.17 


327.57 


207.77 


0.634 


1023 


864.89 


507.61 


322.12 


0.635 


2047 


1576.01 


780.61 


495.51 


0.635 


32767 


16641 


4126.23 


2621.16 


0.635 


1048575 


294323 


30439 


19346 


0.636 



Table 1, the improved bound is better than in the bound in [7] by a factor of 
0.64. We can write 

^improved < VfV + 1 + {A/tt)\/N + 1 ln(4e’"/^lV/37r) 

« VFTl + 1.273ViV+ 1 (In N + 0.19) 

< VfV+ 1 + 1.273ViV+ 1 (In fV + 1) 

which is clearly less than Sshanbag = 2y/N + l(lnfV+ 1). In fact using the above 
upper bound for Simproved we can write 

^Shanbag ^improved ^ (0.727(ln 4” 1) 1)'\/A1^ + 1 



and the right hand side of this expression becomes positive as soon as N > e. 

However, our simple bound given in Theorem 2 is asymptotically inferior to 
to the bound in [7] . 

From Table 1, it is clear that our techniques do not work well for small values 
of N. In this case it is straightforward to compute directly and improve the 
bounds. We are at present making use of the exact values of to find the 
best phases of these m-sequences with respect aperiodic correlations. 

Finally, we remark that, even though we have discussed bounds only for 
Galois ring sequences, techniques extend easily for other optimal families of 
polyphase sequences like Kumar-Moreno sequences [12]. 
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Abstract. In this paper we extend the concept of Euclidean ring in 
commutative rings to arbitrary modules and give a special Euclidean 
Elj[x]-module A", where Fq is a hnite field, n a positive integer and 
K — Fq{{x~^)). Thus a generalized Euclidean algorithm in it is deduced 
by means of Ej [x]-lattice basis reduction algorithm. As its direct appli- 
cation, we present a new multisequence synthesis algorithm completely 
equivalent to Feng-Tzeng’ generalized Euclidean synthesis algorithm. In 
addition it is also equivalent to Mills continued fractions algorithm in 
the case of the single sequence synthesis. 



1 Introduction 

Euclidean algorithm and continued fractions technique play important roles in 
mathematics and other fields. Sequences synthesis problem is also a key problem 
in coding theory, cryptography and control theory. Many versions of Euclidean 
algorithm are used to solve such problem [2], [4], [5], [11]. In studying the sin- 
gle sequence synthesis problem, Mills developed a relation between continued 
fractions algorithm and well-known Berlekamp-Massey algorithm [1], [3], [7], [8]. 
Since there are so much similarity between Euclidean algorithm and continued 
fractions, in this paper we extend the concept of Euclidean ring in commuta- 
tive rings to arbitrary modules. Thus a generalized Euclidean algorithm can be 
deduced in such modules and so usual Euclidean algorithm and continued frac- 
tions algorithm become its special cases. Especially a vector space A”, where 
Fq is a finite field, n a positive integer and K = Fq{{x~^)), is also a Euclidean 
Fq[x]-module. Based on F,j[a;] -lattice basis reduction algorithm [10], we derive a 
generalized Euclidean algorithm in it. As its direct application, in Section 3 we 
present a new multisequence synthesis algorithm. In Section 4 the equivalence 
with Feng-Tzeng’ generalized Euclidean synthesis algorithm [5] is made more 
explicit. In Section 5 we show that the new synthesis algorithm is also equiva- 
lent to the Mills continued fractions algorithm for the single sequence synthesis. 
Finally, we give our conclusion in Section 6. 
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2 Euclidean Modules 

In this section we extend the concept of Euclidean ring to arbitrary modules. The 
chief results is that Fg [x]-module is a Euclidean module and so a generalized 
Euclidean algorithm is deduced in it. 

Definition 1. Let R be a ring with identity and A an R-module. Let A has an 
equivalence relation denoted by Then A is a Euclidean R-module if there is a 
function <j) : A — {0} — > Z such that 

1. if r G R, P G A and r/3 0, then </>(/3) < <j>{rP); 

2. if a, P G A and P 0, then there exist q G R and ^ G A such that 

a = qP + -f ( 1 ) 

where 7 / /?, or if ^ ^ P then 4>{P) > 

Example 1. A Euclidean ring R is also a Euclidean i?-module under the trivial 
equivalence relation, i. e. R has two equivalent classes. The set of all nonzero 
elements is one class and {0} is another. 

Example 2. The rational number field Q is also a Z-module. The function 

Q-{0} 

^ ' ot = a* • 10“* I — )> max{-i|ai yf 0} 

For a, P ^ 0 G Q, then there exist a G Z and j G Q such that 

a = a/3 + 7 (2) 

where 7 = 0, or if 7 0 then p{P) > 0(7), and a = [^], the integer parts of a 

rational number. 

It is easily verified that Q is also a Euclidean Z-module under the trivial 
equivalence relation. Using the equation (2) repeatedly, we can deduce its Eu- 
clidean algorithm in it. 

Given a, P ^ 0 G Q, we have 

a = -aoP -G 7o with 70 = 0 or 0(70) < 0(/3) 

P = —aijo + 7i with 71 = 0 or 0(71) < 0(7i) 



7fc-2 = -ttkjk-i + Ik with 7fc = 0 or 0(7^) < 0(7fc_i) 



where —au is determined by 7fe_2,7fe-i, i. e. —ak = [7^^]- 

Given a positive rational number s and let a = s and /3 = — 1, then module 
Euclidean algorithm to a and P is continued fractions algorithm to s. 
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Example 3. Let K = o.iX~‘^\ io € Z, at € Fq}. Then iL is a 

Laurent series field. Naturally there exists an action of Fg[x] on K, and so K is 
also an [x]-Module. 

Define a map 

^-{ 0 } 

a(a;) = YnLio ^tX * i — )> min{z|ai yf 0} 

Analogous to Q; AT is a Euclidean Fg[x]-module with <p = —v under the 
trivial equivalence relation. Thus there is a Euclidean algorithm in it and we 
will discuss it in Section 5 in detail. 



Example 4-. In [5] a special Euclidean module was presented. First define an 
equivalence relation ~ on the ring Fq[x\. For a positive integer m and a{x), h{x) € 
Fq[x\, a{x) ~ b{x) if and only if deg(a(a;)) = deg( 6 (a;)) (mod to). Obviously 
~ is a congruence relation on this ring and thus induces a partition into to + 1 
congruence classes. It is easily verified that Fq[x\ is a Euclidean Fg[a;'"]-module 
under the equivalence relation ~ and ^(a(a:)) = deg(a(a;)). Hence there are 
corresponding Euclidean algorithm in it, see [5]. 

Next we give an important example. 

Let K = Fq{{x~^)) and n a positive integer, then AT” is a vector space 
with rank n. Naturally there exists an action of Fq[x] on AT”, and so AT” is an 
Fq[x]-Module. In addition we frequently use three important functions. First v 
is extended to a function on A"", written as V. 

E : AT" - {0} — > Z 

(3 = {h{x))o<i<n-i I — min{w(6j(a:))|0 < z < n - 1} 



Define a projection. 



&k '■ 



AT" 

j3 = (&i(a;))o<*<„-i 



Tpn 

(^Z,fc)o<z<n— 1 



where bi{x) = ^ 0 < z < zz — 1, for k € Z. For we often use 

9v(p){fi), so it is simply denoted 9{(}). 

Besides define tt^ : F” — >• Fq by (oq, • • • , an-i) !->■ oz for 0 < z < n — 1. 

Define rz + 1 classes on F". The first class is denoted by [1, = {/? 

G F"| 7 To( 0 (/ 3 )) yf 0}. The second class is denoted by [0, 1, = {/? G 

F”|7To(6*(/3)) = 0, 7Ti(0 (/3)) yf 0}, • • •, the zz-th class is denoted by [0, • • • , 0, 

= {/? G F”|7Tj(0(/3)) = 0, for all J, 0 < j < zz — 2, 7 t„_i(0 (/3)) yf 0}. The last 
class has only one element 0. For any vector (3 G F”, it belongs to one and only 
one class. We use /3 ~ 7 if /3 and 7 are in same class. First we have 
Lemma 1. Let ■ ■ ■ , be n nonzero vectors belonging to distinct classes 

in F". Then they are Fq[x]-linearly independent. 

Analogous to the division algorithm in rings, consider the case in F" . Given 
two nonzero vectors a,(3 € F”, a ~ /3 G [0, • • • , 0, 1, • • • , with 0 < zz < 

zz — 1 and V (a) < V{j3), then we have 



7r„(6>(g)) 

t^u{0{!3)) 






a = 



(3) 
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with V^((5i) > V{a). 

If (5i ~ and > V{(3), or i5i / [3, then the process terminates. 

Otherwise, then y(i5i) > V{a) and continue the above process. 












(4) 



If 62 7^ /3, or (I2 ~ and ¥{ 62 ) > V{f3), then terminates. Otherwise repeat 
the above process till we get 



4-1 = + 4 (5) 

T^u[0{P)) 

where 4 7^ /?, or 4 ~ and 1^(4) > V{f3). 

Since the value of V (Si) strictly increases for 1 < i < fc, then such process 
can be finished in finite steps. Thus we have 



“ = < 3 ( 42 ^^'''''”^''“’ + ^ ^ ■ + ^ ( 6 ) 

^u(0((^)) 7r„(6>(/3)) 

where 7 = 4 and 7 satisfies the above conditions. Therefore we have 

Theorem 1. Let two vectors a and f3 ^ 0 in X”, a ~ /3 and V(a) < V(f3), 
then there uniquely exist q(x) yf 0 G Fq[x] and 7 G it!" such that 



a = q(x)(} + -f (7) 

where V (7) > V ((3) if (3 ^ 

Since V (j3) — V (a) > V (j3) — V (5i) > ■ ■ ■ > V (j3) — V (4)> we also have 
Corollary 1. With same notation as the above theorem. Then 



deg(q{x)) = V((3) -V(a) . (8) 

It is easily verified that iG" is a Euclidean Eg [a;]-module under the above 
equivalence relation and </>(/3) = —V(f3) for (3 G itl”. 

By repeated use of Theorem 1, we can get a multidivisor form as follows. 

Theorem 2. Let ■ ■ ■ , (3^*~^\ 1 < t < n, be t nonzero vectors which be- 
long to distinct classes in iG". Given a vector a G a ~ for some 

u, 0 < u < t — 1, and V(a) < E(/?(“^). Then there exist unique elements 
q^^'>(x),- ■ ■ , q^*~^\x) G Fq[x], 7 G it!” such that 

t-i 

a = (9) 

h—0 

where 7 qf (3^^^ for all h, 0 < h < t—1, orV(j)> V(P^3)'^ ^ ^(i) yjiih some 

By repeated application of Theorem 2, we introduce a generalized Euclidean 
algorithm in this module. 
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Theorem 3. Given t nonzero vectors G itT" which belong to t 

distinct equivalent classes, 1 < t < n, and a\ ~ V{ai) < we 

obtain the following series of equations 

aj = qf'’ + -fj (10) 

h—0 

where V{jj) > if 'jj ~ (3^^ . 

«i+i = /3j+i = 7i, /3j+i = for h Uj (11) 

for j = 1, 2, • • •, until some j = k such that jk / for all 0 < h <t — 1. 

By Euclidean algorithm we can get the greatest common divisor in rings, by 
the above theorem we have 

Corollary 2. The submodule generated by ^\ce is the submodule 

generated • • • , 7fe- 



Remark 1. If t = n — 1 and • • • , ^\a are Fg[x] -linearly independent, 
by Lemma 1 and Corollary 2 P^^\ ■ ■ ■ ,/3^* are F,j[a:] -linearly independent 

and they are a reduced basis of the Fg[x]-lattice yl(/3^°\ • • • , a). In [10] 
given a basis of a lattice, there are finite steps to obtain its reduced basis. Our 
generalized Euclidean algorithm can be consider as its special form and so we 
can obtain the required result in finite steps. 

For convenience, we rewrite the above equtions and define 

/3g““^ = = p['^\ for h^ uq and 70 = P^P 



For j > 1, we have 

a, = P'prPP)'^^-^’ = 1,-uPr = P)l\ for h ^ uj.^. 
Then (10) can be rewritten as 



7 , = i-qp-^\x)h,., + Ppp + Y {-p\^))Pf-i ■ ( 12 ) 



h—0,hp^Uj - 1 



3 Multisequence Synthesis Algorithm 

In this section we apply module Euclidean algorithm to the multisequence syn- 
thesis problem, which is to find a shortest linear recurrence satisfied by given 
multiple sequences. First we formulate the problem. 

Let = {aP , • • • , 0</i<m — 1, bem sequences, each of length 

N, over a finite field Fq. A nonzero polynomial q{x) = 'Yffj=oOjx3 is called an 
annihilating polynomial of a'3^\ • • • , if 

CdOfc +Cd-ia^_i-l 1- coaj,_^ — 0 



(13) 
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for all k and h, d < k < N — 1,0 < h < m — 1. When Cd = 1, it is called 
a characteristic polynomial. A minimal polynomial is defined by a characteris- 
tic polynomial with minimum degree. The multisequences synthesis problem of 
■ ■ ■ , is to find one of their minimal polynomials. 

In [12] a new multisequence synthesis algorithm (LBRMS) was presented 
by means of Tlj [x]-lattice basis reduction algorithm. We review it simply. Let 

be the formal negative-power series of 0 < 
h < m — 1, and q{x) a polynomial over Fq of degree d. By Lemma 1 [12], then 
q{x) is an annihilating polynomial of ■ ■ ■ , if and only if for each 

h, 0 < h < m — 1, there exists a unique polynomial p^^\x) £ Fq[x] such that 

v{q{x) ■ a^^\x) — p^^\x)) > N — d . (14) 

Therefore the multisequence synthesis problem of • • • , is reduced 

to finding a monic polynomial of least degree satisfying (14). 

Set a = (a^°\x), - ■ ■ ,a^'^~'^^x),x~^~^)m+i, eo = (1, 0, •••, 0)^+1, • • •, and 
Cm-i = (Oj ■ ■ ■ ; 0) Ij 0)m-i-i- Obviously Co, • • • , Cm-i, Of are Fq[x] -linearly indepen- 
dent. Therefore they span a free Tlj[a;] -submodule of AT™+^, i. e. an [a;]-lattice 
A(eo, • • • , Cm-i, a) with rank m -I- 1. In detail, 

m—1 

^(eo, * * • ,em-i,a) = {q{x) * « + X! ^ 

And a function p : A{eo, ■ ■ ■ , Cm-i, a) — >■ Fq[x] is defined by /? i— bm{x)x^~^^ 
with j3 = (bo(x), • • • , bm{x)). If loq, ■ ■ ■ , is a reduced basis with R(wq) > • • • > 
V{u)m), setting 

S = {P £ A{u>0,- ■ ■ ,iVm)\T^-mid{P)) 0} (15) 

then cq{uJs), where c is a constant such that cpioja) is monic and s satisfies 
0<s<m — 1, Us £ S and Uj ^ S for j < s, is a minimal polynomial. 

Apply the module Euclidean algorithm to a, ei, • • • , e^, and we can present 
a new multisequence synthesis algorithm as follows. 

Algorithm 1: 

Input: m sequences • • • , each of length N, over a finite field Fq. 

Output: a minimal polynomial m{x). 

1. Set 7o = q;,/3o°^ = Cm-i, = 6^-2, • • ■ = eo, j = 0. 

2. J J + 1- 

3. Apply the generalized Euclidean algorithm for 70, ■ ■ ■ , /3q™ i. e. 

m—1 

= + Y. (16) 

Set pj-i £ [0, • • • , 0, 1, *, • • • , *]Oj-i), and pf'’ = pf\ for all 

h yf Uj-\. 




Euclidean Modules and Multisequence Synthesis 245 



4. until the process terminates, i. e. j = k such that jk / for all h, 

ft. = 0, 1, • • • , m — 1. 

5. crj{'jk) is a minimal polynomial of • • • , where c is a constant such 

that is monic. 

By Corollary 2 we know 

A{eo, - ■ ■ ,em-i,a) = ■ (17) 

Furthermore, we have 

Theorem 4. 7 ^ G [0, • • • , 0, . 

According to Lemma 1 and Theorem 4, we know ^\"/k is a 

reduced basis for the lattice A(a, eg, • • • , Cm-i) and 7^ is the unique element in 
• • • , 7 fc such that the m-th component is not zero. Thus 077 ( 7 ^) is a 

minimal polynomial. 

Theorem 5. With same notation as the above. Then for all j, 0 < j < k — 1, 

deg(?7(7j)) < deg(T7(77+i)) (18) 

deg(t7(7j)) + V{lj) < deg(?7(77+i)) + ^(7^+1) (19) 

The proof is omitted because of the space limit. 

Remark 2. The module Euclidean algorithm also can be thought as a slight 
modifications about Fg[a;] -lattice basis reduction algorithm, i. e. one step in 
Euclidean algorithm is several steps in LBRMS such that the degree of the 
polynomial in every step strictly increases. 

4 Comparison with Feng-Tzeng’ Algorithm 

In [5] Feng-Tzeng presented a generalized Euclidean algorithm and applied it 
to solving multisequence synthesis problem, also see Appendix. In this section 
we demonstrate the equivalence between the two Euclidean modules and so the 
equivalence between the two synthesis algorithms is made explicit. 

The polynomial ring Fq[x] is also a Euclidean Fg[x’"]-module under the spe- 
cial equivalence relation in Example 4 [5]. Define a function 

a : Fq[x] — ^ ftsT™ 

fix) = (ao(x),---,am-i(a;)) 

where for all t, 0 < t < m — 1, 

d 

ai(x) = CjX 

J = 0 

j = mqj + rj,0 < rj < m — l,i = "rn — 1 — rj 
We easily get 
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Theorem 6. With the same notation as the above. Then 

(1) a is a group monomorphism. 

(2) for arbitrary q{x),f{x) G Fq[x], a{q{x’^)f{x)) = g(x)cr(/(x)). 

The initial conditions in Feng-Tzeng’ algorithm are give, also see Appendix. 
From Theorem 6 we have a{ro{x)) = (a^^^x), ■■■, a^'^~^\x)), cr(6g™~^ (a;)) = 
(1, 0, • • • , 0)m, • • • , o’(&o°^(^)) = (0) ■ • • j 0) l)m- Furthermore we have 

Theorem 7. For 0 < j < k, we have 

( 1 ) = {a{rj{x)),Uj{x)x-^-^). 

(2) = {(r{bj'^\x)) , vj-^\x)x~^~^) for all h, 0 < h < m — 1. 

In addition, we consider the terminating condition. In [5] the algorithm ter- 
minates when we reach the step k such that 

deg(rj_i(a;)) > deg{Uj-i{x)) for 1 < j < fc (20) 

deg(rfc(a;)) < deg([/fe(x'")) (21) 

At this step because of A^ -I- 1 — > tv -I- 1 — deg{Uk{x)), we have 

7fc G [0, • • • , 0, and jj ^ [0, • • • , 0, for all j, 0 < j < fc — 1. 

Therefore Algorithm 1 is completely equivalent to Feng-Tzeng’ generalized 
Euclidean algorithm and our representation method is more convenient. 

5 Comparison with Mills Algorithm 

In this section we show that Algorithm 1 is equivalent to Mills continued fractions 
algorithm when applied to solving the single sequence synthesis problem. 

Given a sequence a = (oq, • • • , flAr-i), then a{x) = £ K is 

the formal power-negative series of a. Setting 70 = «o = (a(x), and 
7_i = = (1, 0), we begin to execute the generalized Euclidean algorithm. 

7_i = gi(a;)7o + 7i> where E(7i) > ^(70) and 71 ~ 70 
7o = <?2(a;)7i + 72 



7fc-2 = qk{x)jk-i + 7fc 

untill 7fc 7^ 7fe-i the algorithm terminates. 

For each i, —I < i < k, set Qi{x) = G Fq[x\ and Ri £ K denotes the 

first component of 7^. Since there exists the unique polynomial Pi{x) such that 
v{Qi{x)a{x) — Pi{x)) > 0, we have Ri = Qi{x)a{x) — Ppx). Thus the initial 
conditions are: 

Qo = 1) Q-i = 0, Pq = Oj P-i = Ij -Ro = o.{x), R-i = —1- 




Euclidean Modules and Multisequence Synthesis 247 



Hence the sequences {Pi{x)}, {Qi{x)},{Ri} satisfy the same recursion. 

Pi-2{x) = qi{x)P,^i{x) + Pi{x) (22) 

Qi-2{x) = qi{x)Qi-i{x) + Q^{x) (23) 



Ri- 2 = qi{x)Ri-i + Ri (24) 

If 0 < z < fc — 1, then yj G [1, *] and so V{'^i) = v{Ri). Thus we rewrite the 
equation (24), then 



Ri-2 

Ri-l 



qt{x) 



Rt 

Ri-l 



(25) 



Since v{Ri) > v{Ri-i), we have qi{x) = where [ ] denotes the integer 

part of the power-negative series, i. e. if f{x) = cq^o ^ then 



[fix)] 



I^j=o 9 2;'^ ^ if d > 0 
0 if d = 0 



The above process is actually the continued fractions technique and so Al- 
gorithm 1 is equivalent to Mills continued fractions algorithm for the single 
sequence synthesis. 



6 Conclusion 

In [12] we presented a multisequence synthesis algorithm (LBRMS) by means 
of [a;]-lattice basis reduction algorithm. Since the generalized Euclidean algo- 
rithm in this paper is only its slight modifications. Algorithm 1, Feng-Tzeng’ gen- 
eralized Euclidean algorithm and Mills algorithm can be derived from LBRMS. 
In addition, the new concept of Euclidean module makes the continued frac- 
tions technique become a special Euclidean algorithm. Therefore our module 
Euclidean algorithm can also be referred as the generalization of the continued 
fractions algorithm. 



Appendix: Feng-Tzeng’ Generalized Euclidean Synthesis Algorithm 



Input: • • • , length of N, over a finite field Fq. 

Output: a minimal polynomial of • • • , 

1. Set ro(x) = af Uo(x) = 1. 

b^\x) = ,Vq^\x) = 0 for all /i, 0 < ft- < m — 1, and j = 0. 

2- j ^ j + 1- 
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3. Calculate rj{x) by generalized Euclidean algorithm, i. e. 

m — 1 

rj{x) = + ^ (-Qf 

h—0,h^Uj — i 

Let Uj = deg(rj_i(a;)) mod m, 

and b^J^\x) = for all h yf Wj-i- 

4. Find Uj{x) from C/j_i(x) and vj!!^l(x) so that 

m—1 

U,{x) = i-Q^;^-^\x))U,.,{x) + Vj^r\x) + ^ {-Ql’^\x))vjH\{x) 

h—0,h^Uj — i 

Let vj“^~^\x) = Uj-i(x), and V^^\x) = for all h yf uj-i. 

5. If deg(rj(x)) > deg{Uj{x"^)), go back to 2. Otherwise, go to 6. 

6. Let k = j. Then cUk{x) is a shortest length LFRS, where c is a constant 
such that cUk{x) is monic. 
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Abstract. A new surprising connection between invariant theory and 
the theory of bent functions is established. This enables us to construct 
Boolean function having a prescribed symmetry given by a group action. 
Besides the quadratic bent functions the only other known homogeneous 
bent functions are the six variable degree three functions constructed 
in [14]. We show that these bent functions arise as invariants under an 
action of the symmetric group on four letters. Extending to more vari- 
ables we apply the machinery of invariant theory to construct previously 
unknown homogeneous bent functions of degree three in 8 and 10 vari- 
ables. This approach gives a great computational advantage over the 
unstructured search problem. We finally consider the question of linear 
equivalence of the constructed bent functions. 

Keywords: Bent functions, invariant theory, design theory. 



1 Introduction 

Recently an interesting class of six variable bent functions which are invariant 
under 54 , the symmetric group on four letters, was found in a computer enu- 
meration by Qu, Seberry, and Pieprzyk [14]. The algebraic normal form of these 
functions is homogeneous of degree three. The search for homogeneous bent 
functions that have some degree of symmetry was motivated by cryptographic 
applications. Loosely speaking, the symmetry property ensures that in repeated 
evaluations of the functions (such as in cryptographic algorithms) partial eval- 
uations can be reused. As a consequence cryptographic algorithms which are 
designed using such symmetric Boolean functions have a fast implementation. 
The application of these ideas to the design of hashing functions are discussed 
in [14]. 

The relation between the bentness of Boolean functions and their algebraic 
normal forms seems not to be completely understood at present. For instance, 
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Carlet [3] characterized the algebraic normal forms of the six variable bent func- 
tions. But this characterization does not provide a method of obtaining symmet- 
ric bent functions. 

The fact that the sought after bent functions have homogeneous normal form 
and have some symmetry suggest that they could be studied in the context of 
invariant theory. This possibility was already observed in [4] where the connec- 
tion between the six variable bent functions and the maximal cliques of a certain 
graph [13] was established. This correspondence was used to describe the action 
of S '4 on this class of functions. 

In this paper we demonstrate that it is indeed possible to use invariant the- 
ory to construct homogeneous bent functions. In fact it is possible to specify the 
symmetry group and then to search for those Boolean functions which possess 
this symmetry. In many cases (see Sections 5.1 and 5.2) this leads to a con- 
siderable reduction of the size of the search space. By this method we found 
previously unknown eight variables homogeneous bent functions of degree 3. 
Moreover, these functions have a concise description in terms of certain designs 
and graphs. We expect that this connection will play a role in elucidating the 
structure of the algebraic form of these functions. 



2 Background 



In this section we briefly recall the basic definitions and properties of Boolean 
functions. Our main object of interest is the ring 

Vn ■■= GF(2)[a;i, . . .,Xn]/{x\ - xi, . . - x„) 

of Boolean polynomials in n variables over the finite field GF(2). The ring Vn is 
graded, i.e., it has a direct sum decomposition which is induced by the degrees 
of the Boolean polynomials. 

To a vector v £ GF(2)” we associate the monomial x^ := x^^ ■ ■ ■ x""- £ Vn- 
The one’s complement of v is denoted by v. Now let / £ Vn be written in al- 
gebraic normal form (see [12]): / = X^t,eGF( 2 )" ctyx'"- The degree of / is defined 
by deg(/) := max{wgt(u) : yf 0}, where wgt(u) denotes the Hamming weight 

of V. Then Vn = 0”=o where Vi is the the vector space of all homogeneous 
polynomials with respect to this degree function. Glearly dim(Fi) = ("), corre- 
sponding to the fact that there are 2 ( 0 ) - 2 ( 1 ) • • • 2(") = 2^ Boolean functions in 
n variables. 



Definition 1. The Fourier transform of a Boolean function f G Vn is the func- 
tion F : GF(2)” — >■ C defined by 



F{s) 




E 






•uGGF(2)" 



for each s G GF(2)". Flere x ■ y := inner product on GF(2)". 
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Boolean functions whose Fourier spectrum has constant absolute values are 
particularly interesting. This is possible only when the number n of variables is 
even. 

Definition 2. A Boolean function f is called bent if |F’(s)| = 2”/^ holds for all 
s G GF(2)”. 

Bent functions have been studied extensively for the last 30 years and there 
is a large literature which deals with these functions. Amongst which we mention 
the works of Dillon [6], Rothaus [16], Car let [3], and Dobbertin [8]. 



3 Invariant Theory 

In this section we briefly recall some basic definitions and results of polynomial 
invariant theory. Let GL(n, K) denote the group of invertible n x n matrices 
with entries in the held K (in case of a finite held GF(g) of q elements we write 
GL(n,<;) instead). For each group G < GL(n, AT) we deflne an operation on the 
polynomial ring R„ := K[xi, . . . , x„] in the following way: for 5 G G and / G Rn 
we set 

fa := /((xi,...,a;„) ■ g), 

i. e., the elements of G operate via Ff-linear coordinate changes. We are interested 
in the fixed points under this operations, i. e., the polynomials which satisfy fa = 
/ for all g G G. These polynomials are called invariant polynomials or simply 
invariants. The set of all invariants forms a ring which is usually denoted by 
K[xi, . . . , In the complex case K = C invariant theory has had important 
applications in the theory of error-correcting codes; cf. Gleason’s theorem [12,15]. 

Example 1 (Symmetric polynomials) . The symmetric group S„ acts naturally on 
n variable polynomials by permuting their variables. It is well-known (see, e. g., 
[11], p. 13) that the elementary symmetric polynomials 



cri,n ■= Xi + X2 + ■ . ■ + Xn 

CT2,n ■= X1X2 -I- X1X3 -I- . . . -I- Xn-iXn 

^n,n ■— X 1 X 2 * * * Xn 

generate the ring K[xi, . . . , Xn]^'^ for all fields K. Invariant theory and bent 
functions already meet at this point, since it is known [12] that the quadratic 
elementary symmetric polynomials a 2 ,n are bent functions if interpreted as el- 
ements of the ring Savicky has been shown in [17] that a 2 ,n is essentially^ 
the only class of bent functions invariant under the full symmetric group. 

^ the linear and constant terms can be chosen so that there are four bent functions of 
degree 2 in n variables which are invariant under the fnll symmetric group. 
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The invariants of degree i form a it'-vector space of dimension di . In order to 
gain some information about the number of invariants of a fixed degree we use 
the generating function of the (graded) ring and is defined in terms of the 
di by 

Pg{z) :=Y,d,P 

i>0 

in the ring of formal power series. 

In the context of invariant theory this generating function Pg(z) is called the 
M alien series (see [19]). Since for a finite group G the invariant ring is finitely 
generated, Pg{z) is in fact a rational function. In the non-modular case Pg(z) 
can be computed quite elegantly as the following theorem shows. 

Theorem 1 (T. Molien, 1897). Let G be a finite subgroup of GL{n, K) and 
suppose that char(if) does not divide |G|. Then the following identity holds: 

In case of a permutation group action we use the following additional result 
(cf. [18, Proposition 4.2.4]) which is the basis our computational approach. 

Theorem 2. Let G be a finite group, X be a finite G-set, and K be a field. 
Then the Molien series of K[X]'^ is given by Pg{z) = ^i>od{i,X,G)z^, with 
certain coefficients d{i, X, G) which depend on i and the action of G on X but 
not on K. 

For a more complete account of invariant theory see for example [18] or 
[19]. In what follows we will apply the theory of invariants to the setting where 
K = GF(2), and G is a subgroup of 5'„ which acts naturally by permuting the 
variables. 

4 Homogeneous Bent Functions in Six Variables 

A as preliminary step we give an alternative characterization of the results ob- 
tained in [14] using invariant theory. To describe the Boolean functions in ques- 
tion we require the following graph which was used in [4] . 

Definition 3 (Nagy [13]). Let P(n,k) be the graph whose vertices correspond 
to the (^) unordered subsets of size k of a set {!,... ,n}. Two vertices of P(n k) 
are joined by an edge whenever the corresponding k-sets intersect in a subset of 
size one. 

The bent functions {fi{xi, . . . ,xq)} considered in [14] are parametrized by 
the (maximal) cliques of size four of P{ 6 , 3 ). 

Theorem 3 ([4]). The thirty homogeneous bent functions in six variables listed 
in [ 14 ] are in one to one correspondence with the complements of the cliques 
{G} o/T(6,3). 
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There is a canonical labeling of the edges of the graph in Figure 1 which is 
induced by the vertex labels (3-sets) of the clique. 

Theorem 4 ([4]). The automorphism group S 4 = {a, (3,^) of a clique C is gen- 
erated by the involutions: a = (a,d)(c,e), [3 = {a,h){d, f), and 7 = (a,c)(<i, e). 

In Theorem 4 generator a corresponds to a labeling of the edges induced in 
Figure 1 by the subgraph I IX. Similarly, (3 corresponds to the subgraph 
r_i and 7 to the subgraph f\ XI . 

This theorem leads us to an important observation which yields the connec- 
tion to invariants: the automorphism group S'4 = (a, (3, 7 ) also is the stabilizer 
(taken in Sq) of the polynomial f G corresponding to the clique C, i. e., 
Stabse(/) = {g&Se-.P = f} = {a, f3, j) = S 4 . 

Hence it is natural to look for polynomials which are invariant under this 
group action in order to find bent functions. Using this idea we now show that 
there are homogeneous invariants in GF(2)[a:i, . . . , xq] of degree 3 which are bent 
functions. 

We first define a permutation group on the letters {1, . . . , 6} by specializing 
a := 3, b := 1, c:= 6, d := 4, e := 5, / := 2. This yields the group 

^4 := ((3,4)(5,6),(1,3)(2,4),(3,6)(4,5)) < 

i. e., the symmetric group of order 4, in the permutation representation obtained 
as the automorphisms of the clique (this S '4 is the symmetry group of the bent 
function given in [14, eq. (11)]). 

We consider the invariant ring GF(2)[a;i, . . . ,Xq]^* of this group action over 
the field GF(2). Since the characteristic of the prime field divides the order of the 
group, the investigation of this ring falls into the domain of modular invariant 
theory [18]. However, in our case the situation is considerably simplified since 
we are dealing with a permutation representation and hence Theorem 2 applies. 
For the investigation of the general case of a symmetry group G < GL(n,2) 
with an associated invariant ring GF(2)[xi, . . . , Xn]^ the many facets of modular 
invariant theory have to be taken into account. 
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In the six variable case we compute the Molien series of G using the computer 
algebra system Magma [2] and obtain 

- z + 1 

^ ^ + 2z® — 3z® — 3z® + 2z® + 2z^ _ 2z + 1 

= 1 + z + 3z^ + 6z^ + llz^ + terms of higher order. 

The coefficient of z^ in this series shows that there are 6 linear independent 
invariants of degree 3. Intersecting the 6-dimensional space spanned by these in- 
variants with the vector space of dimension spanned by all squarefree mono- 
mials of degree 3 gives the vector space spanned by the polynomials 

01 := X\X2Xz + X\X2Xi + X\X2X^ + X\X2 Xq + XiX^X^ + X\X^X(,+ 

X2X3X4 + X2X5XQ + X3X4X5 + X3X4XQ + X3X3XQ + X4X3X3, 

02 := XiX3X3 + X1X4X3 + X2X3X3 + X2X4X5, 

03 := a;iX 3 a ;6 -I- X1X4X5 + X2X3X5 + X2X4XQ. 

Enumerating all elements in the vector space spanned by oi , 02 and 03 we find 
two homogeneous bent functions 

bi := X1X2X3 + X1X2X4 + X1X2X3 + X1X2XQ + a;iX 3 a ;4 -I- X1X3XQ+ 

X1X4X5 + XiX^Xq + X2X3X4 + X2X3X3 + X2X4XQ + X2X3X3+ 

X3X4X5 + X3X4X6 + X3X5X6 + X4X5X6, 

62 := X1X2X3 + X1X2X4 + X1X2X5 + X1X2X6 + X1X3X4 + X1X3X5+ 

X1X4X6 + X1X5X6 + X2X3X4 + X2X3X6 + X2X4X5 + X2X5X6+ 

X3X4X5 + X3X4X6 + X3X5X6 + X4X5X6- 

Remark 1. — The search space has now been considerably reduced by using 

the symmetry group S4: instead of searching 2^° Boolean polynomials we 
need only consider 2^ polynomials. 

— To a bent function f in n = 2k variables there corresponds a bent function 
/ (called the Fourier transform of /, cf. [3]) defined by 

F{s) = 2'=(-l)/(") 

for each s € GF(2)”. We observe that the bent functions 61 and 62 are Fourier 
transforms of each other. The fact that 61 and 62 are related to each other 
by a Fourier transform follows from [6, Remark 4.8]: a homogeneous bent 
function / of degree k contains the monomial x'" iff / contains the monomial 
x"" where v is the one’s complement of v. 

— The pairing of bent functions induced by the Fourier transform is the same as 
that induced by the mapping which takes a 3-set {a, &, c} to its complement 
in {!..., 6}. This is an automorphism of order two of the graph T(6, 3), 
whose full automorphism group is S3 x C2; see [4]. 

— We remark that 62 is the bent function given in [14, eq. (11)]. The stabilizer 
of bi respectively &2 in Sq is precisely the 5*4 we have started from. Therefore, 
all bent functions can be obtained either from bi or from 62 by application 
of a transversal T of S'4 \ S'g. So we reproduced the result observed in [14] 
that there are 720/24 = 30 bent functions. 
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5 Homogeneous Bent Functions in Eight Variables 

We now consider the eight variable homogeneous bent functions. The question 
of the existence of such functions was raised in [14]. 

Using the computer algebra system Magma [2] it is possible to generate a 
system of representatives for the conjugacy classes of subgroups of the symmetric 
group Ss- For each representative subgroup G of a conjugacy class we computed 
the vector space of invariants of degree 3. 

We found that two groups of orders six and seven, produced homogeneous 
bent functions of degree 3 which we describe in the following two subsections. 
The search was performed over the whole subgroup lattice of 5'g with exception 
of some groups of small order. We had to restrict the size of the search space of 
Boolean functions to be less than or equal to 2^^ which rules out a number of 
subgroups, the largest of which was of order 24. In the extreme case if G was 
chosen to be identity group this would lead to the space of all 2®® homogeneous 
polynomials of degree 3. 

5.1 Sixfold Symmetry, Designs and Graphs 

The cyclic group Cq = ((1, 2)(3, 4, 5, 6, 7, 8)) < Ss gives the invariant bent func- 
tion 

/s 2 = X1X3XQ + X2X4X7 + X1X5XS + X2XsXe + X1X4X7 + X2X5XS + 

X1X3XS + X2X3X4 + XxX4Xs + X2XsXs + XiXqXj + X2XtXs+ 

X1X4XS + X2X5X7 + XiXqXs + X2X3X7 + X1X4XS + X2X3X5 + 

X3X4XQ + X4X3X7 + X^XqXs + X3X3X7 + X 4 X^Xs + X3X3XS + 

X3X4X3 + X4X3XQ + X5X3X7 + XQX7XS + X3X7XS + X3X4XS+ 

X3X5X7 + X 4 XqXs- 

We have listed the 32 terms of /32 according to the orbits of Cq acting on the 
monomials (representing each orbit by one row). In the remaining parts of this 
paper we shall adopt this convention of representing bent functions. 

With respect to the action of Gg we found eight invariant bent functions. 
The number of terms in these functions varies: four functions have 32 terms, 
and four functions have 24 terms. The invariant bent function 

/24 = 3^12:3X6 -I- X2X4X7 + X1X3XS + X2X3X3 + X1X4X7 + X2X3XS + 

X1X3XS + X2X3X4 + X1X4X3 + X2X3XQ + X1XQX7 + X2X7XS + 

XiX4Xe + X2X5X7 + XiXqXs + X2X3X7 + X1X4XS + X2X3X3 + 

X3X4X3 + X4X5X7 + X5X6XS + X3X3X7 + X4X7XS + X3X5XS 

is rather special in that the monomials comprising it correspond to the blocks 
of a t — {v, k, A) design (cf. [1]), where t = 1, v = 8, k = 3, and A = 9. 

It also has a description in terms of the Nagy graph T(8,3) (cf. Section 4). 
The four orbits of Gg on g (displayed above), can be represented as the following 
subgraphs of T(8,3): each orbit of six monomials is a disjoint union of two 
triangles (or 3-cliques) in the complement of T(8,3). Another way of seeing this 
is in terms of the Johnson graph J(3,2) [9]. 
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Moreover, the property /24 < fs 2 holds, i. e., the monomials of /24 are con- 
tained in the monomials of fs 2 - The difference f ^2 — /24 is the polynomial 

X3X4X5 + X4X5XQ + X5XQX7 + XqX 7 Xs + X3X7XS + X3X4XS + X3X5X7 + X4XQXS 

which factorizes as (xa -I- xq){x 4 + X 7 )(x 5 + xg). Nevertheless, /24 and /a 2 are 
linearly equivalent, cf. Section 6. 

5.2 Sevenfold Symmetry 

The cyclic group C 7 = ((1, 2, 3, 4, 5, 6, 7)) < Sg gives the invariant bent function 

fs 5 = X1X2X3 + X2X3X4 + X3X4X5 + X4X5X6 + X5X6X7 + X1XQX7 + XXX2X7+ 
X1X2X4 + X2X3X3 + X3X4XQ + X4X5X7 + XiXgXe + X2XQX7 + XXX3X7+ 
X1X2X3 + X2X3X6 -I- X3X4X7 + X1X4X5 -I- X2X3X3 + X3XQX7 + X1X4X7+ 
X1X3X5 + X2X4X6 -I- X3X5X7 + X1X4X6 -I- X2X5X7 + X1X3X6 -I- X2X4X7-I- 
X1X4XS + X2X3XS + X3XQXS + X4X7X8 -I- XiXgXg + X2 XqXs + X3X7XS. 

Overall there are twelve bent functions which are invariant under C 7 . Again, the 
bent function 

/28 = a;iX2X3 -I- X2X3X4 -I- X3X4X5 + X4X5X6 -I- X5XQX7 + X1XQX7 + X1X2X7+ 
X1X2X4 + X2X3X5 + X3X4XQ + X4X5X7 + XiXgXe + X2XQX7 + XXX3X7+ 
X1X2X3 + X2X3XQ + X3X4X7 + X1X4X5 + X2X5X6 -I- X3XQX7 + XXX4X7+ 
X\X4Xg + X2X5XS + X3XgXg + X4X7X8 + XiXgXg + X2 XqXs + X3X7XS 

has the property / 2 s < /as- The 28 terms of / 2 s are characteristically split into 
two subsets of size 7 and 21 respectively according to whether the monomials 
contain the variable Xg or not. We observe that the monomials in the set of size 
21 correspond to a 1 — (7, 3, 9) design (the monomials comprising the set of size 
7 can also be considered as a 1 — (7,2,2) design). While the monomials of the 
difference 

/SS — /28 = a;iX3X5 -I- X2X4X6 -I- X3X5X7 + X1X4XQ + X2X5X7 + XiXgXg + X2X4X7 

correspond to a 1 — (7, 3, 3) design. 

The bent function fgg can also be described as follows. There are five orbits 
of C 7 acting on the monomials of fgg. The graph (cf. Definition 3) corresponding 
to each orbit is a 7-cycle subgraph of either: the Johnson graph J(8, 3), the Nagy 
graph T(8, 3), or the complement of the Nagy graph. 

6 Linear Equivalence 

In this section we consider the problem of sorting into equivalence classes the 
previously found bent functions. Recall that two functions f,g€ Vn are called 
linearly equivalent if there is an affine transformation between / and g. This 
means that there is a matrix A G GL(n, 2) and a vector v G GF(2)” such that 
f(Av) .= f(A-{x 4 ,... ,XnY + v) = g (cf. [12]). In what follows we make some 
remarks about the equivalence problem. 
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— One of the 2-Sylow subgroups of GL(8, 2) of order 2^® is the group consisting 
of all upper triangular matrices. There is a transformation A which belongs 
to this 2-Sylow subgroup and acts on the variables as 

8 8 

x\^ xi + '^^Xi, X 2 1 -^ X 2 + ''^^Xi, Xk^Xk for A: = 3... 8. (1) 

i—3 i—3 

This transformation establishes that = fz 2 - 

— As stated in Section 5 the bent functions invariant under the groups Cq and 
Cr occur in pairs (f,g) where g < f- With respect to this group action the 
pairing is preserved and hence the pairs form a single orbit of length six. 
Combining this with the transformation (1) we see that all homogeneous 
bent functions in Vs that have symmetry group Cq form a single orbit under 
the action of GL(8,2). 

— Following Hou [10] we compute the rank rs{f) of a homogeneous Boolean 
function / of degree 3. We associate to the given homogeneous polynomial 

/ = X! 

«GGF(2)": 

wgt(i?)=3 

a binary n x (”) matrix. In [10] cosets of the second order Reed-Muller code 
are considered, but in our case / has already the required form so we can 
compute the rank of this matrix directly. Hou has shown [10] that rs{f) is 
preserved under the action of the affine group. A computation establishes 
that rs{f 32 ) = 6 and r 3 (/ 3 s) = 7, thus showing that fs 2 and fss are not 
linearly equivalent. 



7 Conclusions and Outlook 

Bent functions are of fundamental importance in cryptographic applications. We 
have produced for the first time homogeneous bent functions of degree three in 

8 and 10 variables. We have demonstrated a connection between these functions 
and 1-designs as well as certain graphs. 

We have demonstrated that the language of invariant theory is a natural 
setting for the construction of homogeneous bent functions which have symmetry. 
This setting has proven to be of great computational advantage in the search for 
such bent functions. 

Some open problems naturally suggest themselves from our investigation. 

— So far we have restricted ourselves to subgroups of S'„ permuting the n 
variables. It seems possible that other subgroups of GL(n, 2) not consisting 
entirely of permutations could feature in the search for bent functions. 

— Another open question is how the bent functions found fit into the known 
classes of bent functions [3,8]. 

— We would hope that the observed connections between designs and homo- 
geneous bent functions will provide further insight to the problem of con- 
structing families of bent functions. 
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A Homogeneous Bent Functions in Ten Variables 

The cyclic group Cg = ((1, 2, 3, 4, 5, 6, 7, 8, 9)) < ^lo gives the following invariant 
bent function (we have abbreviated i for the variable Xi and replaced 10 by 0). 
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Like the functions displayed in Section 5 this function has a characteristic de- 
composition into sets of sizes 9 and 63 respectively according to whether the 
monomials contain the variable xio or not. The set of size 63 forms a 1 — (9, 3, 21) 
design. 

For more information about homogeneous bent functions in ten variables the 
reader is referred to the web page 

http : / / avalon . ira . uka . de/home/ roetteler/bent . html 

In Table 1 we have displayed the maximal subgroups of the symmetric group 
S'lo, see [5] and [7] regarding the maximal subgroups of S'„ and An- For each of 
the groups given in Table 1 we performed a search over the lattice of subgroups 
in order to find homogeneous bent functions of degree 3. This search was not 
exhaustive in that some groups of large index in the respective maximal subgroup 
could not be searched. The maximal order of a subgroup which could not be 
searched is given in the fourth column. 

The full symmetric group S'lo and the alternating group ^lo do not pro- 
duce invariant bent functions of degree 3. We do not have to take into account 
the subgroups of the alternating group since we are searching over the whole 
subgroup lattices of the other maximal subgroups of Siq. 



Table 1. Summary of the search over the subgroups of Sio 



Group name 


Size 


No. bents 


Max. order 
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362880 


72 


288 
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Abstract. If F is a g-ary code of length n and a,b,...,e are code- 
words, then c is called a descendant of a,b,...,e if Ci G {oi, 6i, ..., Ci} 
for i = Codes F with the property that coalitions of a limited 

size have restrictions on their descendants are studied. Namely, we con- 
sider codes with the following partial identification property, referred to 
later as 2- secure frameproof codes (2-SFPC): any two non intersecting 
coalitions of size at most 2 have no common descendant. 

Index Terms: Secure frameproof codes, copyright protection, designs. 



1 Introduction 

The ability to resolve ownership disputes and copyright infringement is difficult 
in the worldwide digital age. There is an increasing need to develop techniques 
that protect the owner of digital data. Digital watermarking is a technique used 
to embed a known piece of digital data within another one. The embedded 
piece acts as a fingerprint for the owner, allowing the protection of copyright, 
authentication of the data, and tracing of illegal copies. 

A publisher embeds a unique fingerprint pattern into each distributed copy 
of a document, keeping a database of sold copies and their corresponding finger- 
prints. If, later on, an illegally distributed copy is discovered, he may trace that 
copy back to the offending user by comparing its fingerprint to the database. 
We consider the attack which results when two users collude and compare their 
independently marked copies. Then they can detect and locate the differences, 
and combine their copies into a new one whose fingerprint differs from all the 
users’. 

Codes were introduced in [2] (see also [11]) as a method of “digital finger- 
printing” which prevents a coalition of a given size from forging a copy with no 
member of the coalition being caught, or from framing an innocent user. 

The outline of the paper is as follows. Definitions and basic results are pre- 
sented in Section 2. In Section 3, we first prove that Sylvester type matrices 
are 2-secure frameproof codes. Although, they can accommodate a limited num- 
ber of users, their length 2* make them suitable for practical applications and 
concatenation. 
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Section 4 is devoted to (?-ary 2-secure frameproof codes. In particular we show 
that an equidistant code with 2d > n is a 2-SFPC, thus weakening the sufficient 
condition 4d > 3n in [3] and [12]. In the last section, we show how to combine 
two secure frameproof codes to build larger ones. 

2 Definitions and Basic Results 

We use the notation of [11] for fingerprinting issues and of [6] for codes and 
Hadamard matrices. We identify a vector with its support, set of its non-zero 
positions. For any positive real number x we shall denote by [xj its integer part 
and by [a;] the smallest integer at least equal to x. 

A set F C GF{q)^ is called an {n, M,d)-code if |F| = M and the minimum 
Hamming distance between two of its elements (codewords) is d. 

Suppose C C r. For any position i define the projection 

P,(C) = IJ a,. 

a^C 

Define the feasible set of C by: 

F{C) = {xG GF{qr : Vz,:r, G P,(C)}. 

The feasible set F{C) represents the set of all possible n-tuples (descendants) 
that could be produced by the coalition C by comparing the codewords they 
jointly hold. Observe that C C F{C) for all C, and F{C) = C if |C| = 1. 

If two non-intersecting coalitions can produce the same descendant, it will 
be impossible to trace with certainty even one guilty user. This motivates the 
following definition from [11]. 

Definition 1. An {n,M)~ code F is called a s-secure frameproof code (s-SFPC 
for short) if, for every couple of coalitions C,C C F such that |C| < s, |C'| < s 
and C nC' = 0, we have F{C) 0 F{C) = 0. 

The previous property can be rephrased as follows when q = 2: 

For any ordered 2s-tuple of codewords written as columns, there is a coor- 
dinate where the 2s-tuple (1..10..0) of weight s or its complement occurs. For 
s = 2 this turns out to have been studied in another context under the name of 
“separation” (see, e.g., [4], [5], [10]). 

In this paper, we consider the case s = 2. 

3 Binary 2-Secure Frameproof Codes 

Theorem 1. [1] If Fin is an n times n Hadamard matrix with n > 1, then n is 
even and for any two distinct rows of H there are precisely ^ columns in which 
the entries in the two rows agree. Further, if n > 2 then n is divisible by 4, 
and for any three distinct rows of H there are precisely j columns in which the 
entries in all three rows agree. 
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Let Hn be a Sylvester type matrix of order n = 2* [6]. If +l’s are replaced 
by I’s and -I’s by O’s (note that this is not the classical way, but insures that 
the all 0 vector is a codeword), is changed into the binary Hadamard matrix 
An [6], which is an (n = 2*, M = 2*, d = 2*“^) code. 

Theorem 2. The matrix An is an (n = 2%M = 2*) 2-SFPC. 

Proof. Set n = 4m with m = 2*“^. By [6] Ch. 2, since any two rows in ^4^ are 
orthogonal, they agree in 2m places and differ in 2m places. Any such two rows, 
different from the all 0 vector, contain m columns of the four possible types 
(11)^, (00)^ (01)^, (10)^. 

We distinguish between two cases, according to whether or not one of the 
four codewords is the first row of ^4^ (the all 0 vector). 

Case 1. Let ci, 02,03,04 G ^4^ be all different from the first row in A 4 m- 
Then A 4 m will not be 2-SFPC if the following occurs: 

0 a L-jJ ^ 2 ^ 3m— a 

d : 0...0 0 0 1 ... 10...0 

/3 a LfJ Ifl 3m— a 

02 : 0...0 0 0 0 ... 01...1 * * * 

0 LfJ Ifl a 3m-a 

03 : 0...0 1...10...0 0 0 

0 LfJ Ifl a 3m-a 

04 : 0...0 0...0 1...1 0 0 

where the number of columns (00)^ in any two rows of A 4 m is a + (3 = m, a 
being indifferently a 0 or 1. If a is an odd number, then [02,04] have less than 
a + f3— l = m— 1 columns (00)^, a contradiction. Thus a is even, say a = 2a' . 
Then A 4 m will fail to be 2-SFPC if the following occurs: 

0 ‘loL OL OL 2m—0—3cx' 2m—0—3a.' 2m—0—3oc' 2m—0—3oc' 

0 2oi OL OL 2ra—0—3oL 2m— /3— 3a' 2m—0—3oL 2ra—0—3oL 

02 

0 ol' ol' 2ol 2m— /3— 3a' 2m—0—3a' 2m— /3— 3a' 2m— /3— 3a' 

03 iZZi iZZi 

0 ol' ol' 2a' 2m— /3— 3a' 2m— /3— 3a' 2m— /3— 3a' 2m— /3— 3a' 

04 iZZi iZZi iZZi oZZo 

Columns in [01,02, 03, 04] are written this way up to position P+4a' since any 
two rows in ^4^ have columns (00)^ in m positions. The number of (01)^ and 
(10)^ columns are equal, otherwise two of the rows Oi, 02, 03, 04 would have more 
than m columns (00)^. Therefore any two of the rows oi, 02, 03, 04 must contain m 
columns (11)^ from position jdpAa' + \ on, since any two of them do not contain 
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columns (11)^ on the first /3+4a' positions. We now upperbound by 4m the num- 
ber of columns containing at least one 0, getting fi + Aa' + A{2m — fi — ia') < Am, 
or 3/3 -|- 8a' > 4m. On the other hand, for any two rows, the number of (00)^ 
columns is m = (3 + 2a'. This leads to 2a' = m, (3 = 0, which is impossible since 
the first column of A 4 m contains only O’s. 

Case 2 now. Suppose that ci is the first row in A 4 m, i.e. wt{ci) = 0. Then 
A 4 m will not be 2-SFPC if the following occurs. 



m m m m 



Cl : 0...0 0...0 0...0 0...0 

m m m m 

C2 : 0 ^ 0 ^ 1 ^ 

m m m m 

C3 : ^ 

m m m m 

C4 : OTT 



The row C4 should have a 0 in the first position since all rows of A 4 m do. The 
support of C4 in positions {m -I- l,m -I- 2, ...,2m} has size 0 by the assumption 
that A 4 m is not 2-SFPC. In this case [02,04] will have m -I- 1 columns (00)^, 
again reaching a contradiction. Therefore ^14^ is a 2-SFPC. □ 



4 On Equidistant 2-Secure Prameproof Codes 



Positions where two codewords coincide are denoted *...*, and positions where 
they have different coordinates are denoted We now improve on the suffi- 
cient condition {d/n) > 1 — (1/s^) from [3] and [12] for a code to be a s-SFPC, 
in the special case of equidistant codes and s = 2. 

Proposition 1. Let C he an equidistant q-ary eode with dist{ci,Cj) = d and 
length n. If 2d > n, then C is 2-SFPC. 

Proof. Suppose C is not 2-SFPC. Then w.l.o.g. we may assume that there are 
four codewords 01,02,03,04 € C such that 04,02 and 03,04 can produce a com- 
mon descendant. Let 

oi, 02 coincide on positions 1, 2, ..., x-\-a-\-y = n — d, 

oi, 03 coincide on positions 1, 2, ..., x a~, x a y 1 , ..., x -I- a -I- 2y, 

02. 03 coincide on positions 1, 2, ..., x -I- a; x a 2y 1 , ..., x -I- a -I- 3y, 

oi, 04 coincide on positions x-|-l, ..., x-\-a-\-y-\-mi; x-|-a-|-3y-|-l, ..., 2x-\-a-\-3y—mi, 

02. 04 coincide on positions x -I- 1, ..., x-|-a-|-y; x-|-a-|-2y-|-l, ..., x -I- a -I- y -I- m2; 
2x -I- 3y -I- a — mi -I- 1, ..., 3x -I- a -I- 3y — mi — m2 = n. 
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Thus the 4 times n array, obtained from 01,02,03,04, may be described as 
follows 



Cl ! 



C2 * <T..7T> 

X a mi y—mi mo y— "^2 

^ a:— mi x— m2 

C 3 * <TT?r?> <7r?T?> 



C4 I <TT.TT> *...* *...* 



*...* *...* . 



Combining a + mi + m2 = n — d, (03, 04 coincide on n — d positions) and 
a + x + y = n — d, (oi , 02 coincide on n — d positions) we obtain toi + m2 = x + y. 
The last equality together with 



mi < X, mi < y, m 2 < x, m 2 < y 

leads to X = y = mi = m2- Looking at the positions where oi, 03 coincide we get 

x + y + a = 2y + a = n — d. 

Replacing 2y by d gives a + 2d = n. This is possible only for a = 0, 2d = n. By 
assumption 2d > n, therefore C is 2-SFPC. □ 

Note that the bound 2d > n cannot be improved in general: there exist 
equidistant codes with 2d = n which are not 2-SFPC (take for example the 4 
vectors of weight 1, length 4 and at distance 2 apart). 

Let’s now look at how designs can provide such equidistant 2-SFPC. 

A parallel class in a 2 — {v, k, A) design with u = 0 (mod k) is a set of v/k 
pairwise disjoint blocks. A 2-design with parameters v, k, A, r, b is resolvable if the 
block set can be partitioned into r disjoint parallel classes. Any such partition is 
called a resolution. A resolvable design is affine resolvable (or affine) if any two 
blocks that are not in the same parallel class meet in a constant number (say /i) 
points. 

An equidistant (n, M = qt, d)q code is optimal if 

^ ^ nt{q - 1) 
qt — \ 



Proposition 2. [9] An optimal equidistant q-ary code with parameters 

q^y-l 



q-l 



,M = q y,d = qy 



exists if and only if there exists an affine design with parameters 



V = q^y, k = qy, A = 



q-l ’ 



gV-1 

q-l 



b = 



q k- Q 

q-l ■ 
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Proposition 3. If A is an incidence matrix of an affine 2 — {v, k, A) design, 
corresponding to a ternary optimal equidistant code, then A is a 2 -SFPC. 

Proof. Let A be as described in the proposition and let C be a corresponding 
ternary optimal equidistant code. The existence of C follows by Proposition 2. 
By Proposition 1, C is 2-SFPC. Thus for any ci, C 2 , C 3 , C 4 G C there is at least 
one coordinate j such that {cj,c4} yf { 0 ^, 04 }. In the case q = 3 it implies that 
at least one the two equalities or = C 4 occur. 

A may be obtained from C by replacing any symbol t in (7 by the z-th row of 
I3. Thus we are sure that for any four rows in A there is a coordinate where one 
of the columns (1100)^ or (0011)^ occurs, i.e. A is a 2-SFPC. □ 



Example 1 . The unique 2-(9,3,l) design [9] is an equidistant code with 2 d = n 
and it is a 2-SFPC. The corresponding ternary code is 2-SFPC with parameters 
(4,9,3). 

5 Combining Codes 

New secure frameproof codes may be obtained via separating hash families 
(SHF), which are a more general object introduced in [11] (allowing for different 
size coalitions Wi and W2 in Definition 1). 

Definition 2 . Let n' ,m' ,W\,W2 he positive integers such that n! > m! . An 
(n'j to', {rci, W2}) -separating hash family is a set of functions T , such that jyj = 
n' , |X I = to', f : Y ^ X for each f € IF, and for any C\,C2 C {1, 2, ..., n} such 
that jCij = wi, IC2I = W2 and Ci fl C2 = 0 , there exists at least one f € IF such 
that 



{f{y) : 2/ G Cl} n {f{y) : y G C2} = 0 . 

The notation SHF{n-,n' ,m' ,{w\,W2}) will be used to denote an {n' ,m' , 
{w\,W2'\)-separating hash family with \T\ = n. 

Furthermore, in [12], a general concatenation construction of SHF is pre- 
sented. 

Theorem 3 . Suppose there exist SHF{n'; M,no, {wi,W2}) and 
SHF{n";no,m',{wi,W2}). Then there exists an SHF{n' n” ] M ,m' , {w\,W2}) ■ 

The next results provide a way to combine secure frameproof codes, like 
those obtained in the previous sections, into new SFPC. These constructions 
give codes with reasonably good number of codewords in some special cases. 

Theorem 4 . [ 7 ] Let M = Mi. M2, with M2 > Mi and M2 is not divisible either 
by 2 or by 3 . Suppose C\{ni, Mi) and C2(ri2, M2) are binary 2 -SFPC. Then there 
is a 2 -SFPC (n, M) code with n = ni -\- 4 ri 2 . 
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Let S be the rightward cyclic shift operator on n-tuples and v be a binary 
p-tuple. In the v-representation of GF{p), the element i is represented by the 
p-tuple S'(v), the ith rightward cyclic shift of v [8]. 

Lemma 1. [8] If p is a Mersenne prime and v is a binary m-sequence of length 
p, or more generally if {p — 1) /2 is odd and v is a Legendre sequence, then the 
v-representation of GF{p) yields an equidistant {p,p,{p-\- l)/2) binary code. 



Example 2. Suppose we take G\ = G 2 where Mi = 11, ni = 11, then M = 
121, n = 55. Applying Theorem 4, with (71(11,11) and (72(55,121), leads to a 
2-SFPC with M = 1331, n = 231. 

Take now Mi = M 2 = 13, ni = 77,2 = 13, then M = 169, n = 65. 

Applying Theorem 4 a second time with Mi = 13,rii = 13 and M 2 = 169, ni = 
65 leads to a 2-SFPC with M = 1859, n = 273. 

Binary 2-SFPC may also be obtained from p-ary 2-SFPC exploiting ideas from 
[8], whose notation we follow. When the positive integers m and n are relatively 
prime, the Chinese remainder theorem (CRT) specifies a one-to-one correspon- 
dence between m times n arrays A = {a{i,j)} with entries from an arbitrary 
alphabet and m. n-tuples b = [&o, bmn-i] over the same alphabet, where 

bi = a{i mod m,i mod n), 

“z mod m” denoting the remainder when i is divided by m. The next result is 
the main theorem in [8]. We omit its proof. 

Theorem 5. Let p be a prime and let V be a p-ary (n, M, d) equidistant code 
such that gcd{n,p) = 1. Let v be a binary p-tuple with Hamming weight wt{v) 
where 0 < wt{v) < p. Let each codeword c = [cq, ci, ..., Cn-i] in V determine a p 
times n array A such that the ith column of 

A is the transpose of the p-tuple that is the v-representation of the ith com- 
ponent of c, and let b be the binary N -tuple (where N = np) that corresponds 
to the array A by the CRT correspondence. Then the set of N-tuples b corre- 
sponding to the codewords c of V form a binary (np, M,d{p -\- 1)/2) equidistant 
code. 
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Abstract. We consider a certain generalisation of the hidden number 
problem which has recently been introduced by Boneh and Venkatesan. 
We apply our results to study the bit security of the XTR cryptosystem 
and obtain some analogues of the results which have been known for the 
bit security of the Diffie-Hellman scheme. 



1 Introduction 

Let p be a prime. We denote by F = Fp and K = F^ the fields of p and q = p^ 
elements, respectively, where m > 1 is integer. 

As usual we assume that F is represented by the elements {0,...,p — 1}. 

For integers s and r > 1 we denote by [sj ^ the remainder of s on division by 
r. We also use log z to denote the binary logarithm of z > 0. 

Here we study a variant of the hidden number problem introduced in 1996 by 
Boneh and Venkatesan [1,2]. This problem can be stated as follows: recover an 
unknown element a G F such that for polynomially many known random t G F 
approximations to the values of are known. 

It has turned out that for many applications the condition that t is selected 
uniformly at random from F is too restrictive. Examples of such applications 
include the bit security results for the Diffie-Hellman, Shamir and several other 
cryptosystems [7,8] and rigorous results on attacks (following the heuristic ar- 
guments of [9,18]) on the DSA and DSA-like signature schemes [5,19,20]. 

It has been systematically exploited in the aforementioned papers [5,7,8,19,20] 
that the method of [1] can be adjusted to the case when t is selected from a se- 
quence which has some uniformity of distribution property. Thus, these papers 
have employed bounds of various exponential sums which are natural tools to 
establish the corresponding uniformity of distribution property. 

In particular, the case when t is selected from a small subgroup of F* has 
been studied in [7] and used to generalise (and correct) some results of [1] about 
the bit security of the Diffie-Hellman key. The results of [7] are based on bounds 
of exponential sums with elements of subgroups of F*, namely on Theorem 3.4 
and Theorem 5.5 of [12]. 

Here, motivated by applications to the recently introduced XTR cryptosys- 
tem, we consider a similar problem for subgroups in the extension field IK. Let 

Tr(z) = z + zP + ... + z^"”' 
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be the trace of z G IK in F, see [16] for this and other basic notions of the theory 
of finite fields. Also, let G C K* be a subgroup of the multiplicative group 
K*. We consider the following question: recover a number a S IK such that 
for polynomially many known random t € G, approximations to the values of 
[Tr(o;<)Jp are known. Then we apply our results to obtaining a statement about 
the bit security of XTR [14,15], see also [3,24,26]. Unfortunately analogues of 
the bounds of exponential sums of Theorem 3.4 and Theorem 5.5 of [12] are not 
known for non-prime fields. Thus for subgroups of K* we use a different method, 
which is based on bounds of [4,6] for the number of solutions of certain equations 
in finite fields. Unfortunately it produces much weaker results. 

For a prime p and fc > 0 we denote by MSBfc_p(x) any integer u such that 



lx\-u <p/ 2 '=+b 



( 1 ) 



Roughly speaking MSBfc^p(x) gives k most significant bits of x, however this 
definition is more flexible and suits better to our purposes. In particular we 
remark that k in the inequality (1) need not be integer. We remark that here 
the notion of most significant bits is tailored to modular residues and does not 
match the usual definition for integers. 

Throughout the paper the implied constants in symbols ‘O’ depend on m 
and occasionally, where obvious, may depend on the small positive parameter e; 
they all are effective and can be explicitly evaluated. 



2 Distribution of Trace 

The following bound on the number of zeros of sparse polynomials is a version 
of a similar result from [4,6] . We present it in the form given in [24] . 

Lemma 1. Let g € IK* be of multiplicative order T and let s >2 be an integer. 
For elements ai,...,as € K* and s integers ei,...,eg we denote by W the 
number of solutions of the equation 

S 

= uG[0,r-l]. 

Then W < 3 T^“^As-i)i^i/(s-i)^ where E = mini<i <5 max^^i gcd(cj — ej,T). 

For 7 G IK and integers r and h we denote by Nj(G,r,h) the number of 
solutions of the congruence 

Tr( 7 t) = r + y (mod p), t G G, y = 0, ■ ■ ■ ,h - 1. 

From Lemma 1 one immediately derives an upper bound on Nj{G,r,h). 

Lemma 2. For any 7 G K* and any subgroup G Q K*, 

N^(G,r,h) 

where D = maxi<j,<m gcd(p'^ - 1, |t/|). 




270 I.E. Shparlinski 



Proof. Let g be a generator of Q, thus g is of order T = \Q\. Then for every 
a G IF the congruence 

Tr( 7 t) = a (mod p), t G G, 
is equivalent to the congruence 

S 

^ai 5 ®'“ = 0 , 

with s = m + 1, Ci = p^~^, Oj = 7 ®* for i = 1 , . . . , s — 1 and Ug = —a, Cg = 0 . 
Because T is a divisor of g — 1 we see that gcd(p, T) = 1. Thus by Lemma 1 the 
number of solutions of the above congruence does not exceed for 

each a G F. Considering a G [r,r + h — 1] we derive the result. □ 

3 Lattices 

As in [1,2], our results rely on rounding techniques in lattices. We therefore 
review a few related results and definitions. 

Let {bi,...,b4 be a set of linearly independent vectors in IR®. The set 

L = {z : z = cihi + . . . + Cghg, ci,...,CsG2} 

is called an s- dimensional full rank lattice with basis {bi, . . . ,bg}. 

It has been remarked in Section 2.1 of [17], then in Section 2.4 of [21] and 
then in Section 2.4 of [22] that the following statement holds, which is somewhat 
stronger than that usually used in the literature. It follows from the modification 
of [23] of the lattice basis reduction algorithm of [13] and some result of [10]. 
For a vector u, let jjujj denote its Euclidean norm. 

Lemma 3. There exists a deterministic polynomial time algorithm which, for a 
given s-dimensional full rank lattice L and a vector r G M®, finds a vector v G L 
with ^ 

||v — rjj < exp min{jjz — rjj, z G L} . 

Let LOi, . . . , LOm be a fixed basis of K over F. 

For an integer k > 0 and d > 1 elements ti,...,td G K, we denote by 
Lk{t\, . . . ,td) the d + m-dimensional lattice generated by the rows of the follow- 
ing (d -I- m) X (d -I- m)-matrix 



fp 


. . 0 0 


..0 \ 


0 


. . 0 0 


.. 0 


0 


. . p 0 


.. 0 


Tr(witi) 


..Tr{tu,td) 1/2'=+!. 


.. 0 


^Tr(wmti) 


. . Tr(wmfd) 0 


. . 1/2'^+iy 
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Lemma 4. Let p he a sufficiently large n-bit prime number and let Q he a sub- 
group of TK* of cardinality T with T > qP and maxi<,y<m gcd(p^ — 1, |1/|) < 
for some constants p, r > 0. Then for any £ > 0, ry = (1 — pr + e)n + 6, and 
d = [2m/e] the following statement holds. Let 



m 

a = ^ QjUjj G K, ai, . . . , Om G F, 
i=i 



he a fixed element of TK. Assume that ti,. .. ,td G G are chosen uniformly and 
independently at random. Then with probability P > 1 — q~^ for any vector 
s = (si, . . . , Sjj, 0, . . . , 0) with 



1/2 






all vectors 
satisfying 

are of the form 



(Tr(ati) - Sif < 2 



— (til, • ■ • , tld+1, ■ ■ ■ , '^d+m') G Tk (^1, • ■ • , 



1/2 



- s^Y 



< 2 ->, 



^i=l 



'^bjTv {ujjti) 



^ 6j Tr (ujjtd) 
i=i 



,6i/2'=+i,...,6„/2'=+i 



with some integers bj = Oj (mod p), j = 1, ... , m. 

Proof. As in [1] we define the modular distance between two integers r and I as 
distp(r, s) = mm \r - I - bp\ = min | [r - ,p- [r - . 

We see from Lemma 2 that for any /? G IK with (3 ^ a the probability P{(T) that 
distp (Tr(at),Tr(/3t)) < 
for t G IK selected uniformly at random is 

P(/3) < 3 {2-P+^p+l) < 2-’'+5pT-^/™ < 2-"+V'’^ 

< 2“'l“(l“P'r)n+5 _ 2-eri-l ^ ^-e _ g-e/™ 

provided that p is large enough. 

Therefore, choosing d = |"2m/£], for any /3 G IK we obtain 

Pr [Vi G [l,d] I distp(Tr(aP),Tr(/3p)) < 2~P+ffi] = P{(3f < q~^‘^l^ < q~^ , 
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where the probability is taken over ti, . . . ,td € Q chosen uniformly and indepen- 
dently at random. 

From here, we derive 

Pr [V/3 G K\{a}, Mi G [l,d\ \ distp (Tr(ati),Tr(/3t,)) < 2~^+^p\ < q~\ 

The rest of the proof is identical to the proof of Theorem 5 of [1]. Indeed, we 
fix some . . . ,td G Q with 



min max dist „ (Tr(ati), Tr(/3ti)) > 2 
Let V G £fc (ti , . . . , td) be a lattice point satisfying 

/ d \ 1/2 



(3) 



< 2 >. 

Since v & Lk{t\, ... ,td), there are integers b\, . . . ,bm, Z\, . . . , Zd such that 

( m m b b 

“ ^i/’’ • ■ • ’ XI - ZdP, > • ■ • ’ 2^ 

i=i j=i 

If bj = Uj (mod p), j = 1, . . . , m, then for all i = I, . . . , d we have 



bjTr (ujjti) - Zip = 
i=i 



i=i 



= Tr(atj), 



since otherwise there would be i G {1, . . . , d} such that \vi — Si\ > 2 '^p. 
Now suppose that bj ^ aj (mod p) for some j = 1, . . . ,m. Put 



/3 = X^^ 



OJj. 



i=i 



In this case we have 



1/2 



X 






> max distp > bjTr (ujjti) , Si 



./=i 



> max distp Tr(ati),N bjTr {ojjti) — dist p (sj, Tr(atj)) 

*e[i.d] J 

> max ( dist p (Tr(atj), Tr (/3tj)) — dist p (s^, Tr(o;ti))) 

iG[l,d] 

> 2-’i+V-2-> = 2-> 



that contradicts our assumption. As we have seen, the condition (3) holds with 
probability exceeding 1 — q~^ and the result follows. □ 
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4 Trace Approximation Problem 



Using Lemma 4 in the same way as Theorem 5 of [1] is used in the proof of 
Theorem 1 of that paper, we obtain 

Theorem 1. Let p he a sufficiently large n-hit prime number and let Q he a 
subgroup of TK* with \Q\ > qP and maxi<j,<;m gcd(p'^ — 1, |t/|) < for some 

positive constants p,r > 0. Then for any s > Q, k = \{1 — pr + s)n~\ and d = 
|"4m/e] the following statement holds. There exists a deterministic polynomial 
time algorithm A such that for any a G IK given 2d values U € G and Si = 
MSBfc^p (Tr(ofti)), i = 1, . . . ,d, its output satisfies 

Pr [A{ti,...Ad;si,...,Sd) = a]>l- q~^ 

ifti, ■ ,td CITS chosen uniformly and independently at random from G- 

Proof. We follow the same arguments as in the proof Theorem 1 of [1] which we 
briefly outline here for the sake of completeness. We refer to the first d vectors in 
the matrix (2) as p-vectors and we refer to the other m vectors as trace- vectors. 
Let 

m 

a = ^ QjUJj G K, Oi, . . . , Om G F. 

We consider the vector s = (si, . . . , Sd, Sd+i, . . . , Sd+m) where 

Sd-ei=0: J = 

Multiplying the jth trace- vector of the matrix (2) by aj and subtracting a certain 
multiple of the jth p-vector, j = 1, . . . , m, we obtain a lattice point 

Uq, = (ui, . . . , Ud, oi/2^^^, . . . , am/2^'''^) G (ti, . . . , td) 

such that 

— Sj| < p2“*“\ i=l,...,d + m, 

where Ud+j = 0^/2^+^, j = 1, . . . ,m. Therefore, 

||u„-s|| < (d + m)i/22-'=-V 



Let 



?7 = (1 — pr -I- s/2)n + 6. 

By Lemma 3 (used with a slightly rougher constant in polynomial time 

we can And v = {vi, . . .,Vd,Vd+i, . ■ ■,Vd+m) € Ck (U, ...,td) such that 

||v - s|| < 2‘'+’”min{||z - s||, z G (U, . . . ,td)} 

< -b m)i/2p < 2-'=+^(i)p < 2-"- V, 
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provided that p is large enough. We also have 



1/2 



{Ui - SiY 



< d ^/^2 






P S 



< 2-^~h 



Therefore, 





1/2 

< 2 ->. 



Applying Lemma 4 (with e/2 instead of e), we see that v = with probability 
at least 1 — q~^, and therefore the components oi, . . . , Um of a can be recovered 
from the last m components of v = Uq. □ 



5 Applications to XTR 

We start with a brief outline of the XTR settings, concentrating only on the 
details which are relevant to this work. 

Let m = 6, thus IK = We also consider another field F = Fp 2 , thus we 
have a tower of extensions F C F C K. Accordingly, we denote by Wik/ilIm) 
and TrjL/]p(w) the trace of m G IK in F and the trace of u G F in F. In particular, 
TriL/F (TrjK/iLlM)) = Tr(w) for u G K. 

The idea of XTR is based on the observation that for some specially selected 
element g G K*, which we call the XTR generator of prime multiplicative order 
I > 3 such that 

l\p‘^-p+l, (4) 

one can efficiently compute TrjK/iL from the values of x and Tr^/iL (g^) or, 
alternatively from the values of y and TrjK/iL {g^)- This allows us to reduce the 
size of messages to exchange (namely, just TrjK/iL (g^) and TrjK/iL (g^) rather 
than g^ and g'^) in order to create a common XTR key Tr^/iL (ff^^)- 

As it follows from Theorem 24 of [26] (see also [3,14]) any polynomial time 
algorithm to compute Tr^/F (g^^) from g^ and g^ can be used to construct a 
polynomial time algorithm to compute g^^ from the same information. In [24] 
the same result has been obtained with an algorithm which compute Tr^/iL (g^^) 
only for a positive proportion of pairs g^ and g^. Furthermore, the same results 
hold even for algorithms which compute only Tr (g^^). We recall that any element 
u G F can be represented by a pair (TrF/F(r’), TrF/F('*^r!)) where -d is a root 
of an irreducible quadratic polynomial over F. Thus Tr (g^^) is a part of the 
representation of Tr^/F (g^^)- In f^ict the same result holds for Tr {ujg^y) with 
any fixed lo G K*. 

Thus the above results suggest that breaking XTR is not easier than breaking 
the classical Diffie-Hellman scheme. 

Here we obtain one more result of this kind and show that even computing a 
certain positive proportion of bits of Tr {g^^) from Tr^/F {g^) and Tr^/F (d^) 
is as hard as breaking the classical Diffie-Hellman scheme. In fact we prove 
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a stronger statement that computing a certain positive proportion of bits of 
Trip e/Fp from the values of and g'^ is as hard as computing g^^ from 
these values. 

We remark that although this result is analogous to those known for the 
bit security of the Diffie-Hellman scheme [1,7] it is much weaker due to lack of 
non-trivial estimates of the appropriate exponential sums. 

For a positive integer k we denote by Ok the oracle such that for any given 
values of g^ and g^ , it outputs MSBfc,p (Tr {g^'^)). 

Theorem 2. Let p he a sufficiently large n-hit prime number and let the order 
of the XTR generator satisfy the inequality I > p^ ■ Then for any e > 0 and 
k = [(1 — A/6 + £)n], there exists a polynomial time algorithm which, given the 
values of U = 5“ and V = g'’ , where u,v € [0, . . . , I — 1], makes |"24/e] calls of 
the oracle Ok and computes correctly with probability at least 1 — p~^. 

Proof. The case u = 0 is trivial. Now assume that 1 < m < I — 1. Then 
is an element of multiplicative order I (because I is prime) . 

One easily verifies that (4) implies gcd(p'^ — 1,1) = 1, = 1, ... ,5. 

Select a random element r G [0,^ — 1]. Applying the oracle Ok to U and 
Vr = g^+^ = Vg^ we obtain 

MSBk,p (Tr (g“0+0^) = (Tr (g™t)) 

where t = gf. 

Selecting d = [24/e] such elements n,...,rd € [0,1 — 1] uniformly and 
independently at random we can now apply Theorem 1 with a = g™ , to = 6, 
p = A/6, T = 1 and the group Q generated by (which coincides with the group 
generated by g). □ 

In particular, if I is of order p^, then we see that about 84% of the bits of 
Tr {g^"^) (or about 42% of the bits which are needed to encode the private key 
Trjp^g/jF^2 (g^^)) are as hard as g^^. 

6 Remarks 

We remark that because we assume to to be fixed the lattices which arise in our 
setting are of fixed dimension. Therefore one can use even exact algorithms to 
find the closest vector [11] instead of approximate lattice basis reduction based 
algorithms as we have done in Lemma 3. On the other hand, using Lemma 3 
(or other similar statements) has an additional advantage that they allow us to 
study this problem when to grows (slowly) together with p because one can take 
£ as a slowly decreasing to zero function of p. 

The method of this work is similar to that of [25], where a variant of Lemma 1 
has been used for the problem of finding an m-sparse polynomial 



f{X) = aiX^^ + . . . + G F[A] 
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from approximate values of [/(t)Jp at polynomially many points t S IF selected 
uniformly at random. 

Finally, probably the most challenging problem is to obtain a similar result 
for smaller values of k, say for k = O(log^^^p) as it is known for the Diffie- 
Heilman scheme [1,7]. In fact for subgroups Q C K* of order T > this 

can easily be done using the bound 



max exp (27riTr (yt) /p) 
teg 



<q 



1/2 



of exponential sums which is nontrivial only for such “large” subgroups, for 
example, see Theorem 8.78 in [16] (combined with Theorem 8.24 of the same 
work) or the bound (3.15) in [12]. However these subgroups are too large to be 
useful for applications to XTR which has been our principal motivation. On the 
other hand. Theorem 3.4 and Theorem 5.5 of [12] are nontrivial for much smaller 
subgroups but apply only to prime fields. To be more precise. Theorem 5.5 of [12] 
can be extended to composite fields but it does not appear to be enough for our 
applications. It seems only to imply that for infinitely many (rather than for all 
or almost all) pairs of primes (p, 1) satisfying the above XTR constraints, about 
log^^^p bits of Tr (g®^) are as hard as g^'^. 
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Abstract. A combinatorial method of encryption is presented. The gen- 
eral idea is to treat vertices of a graph as messages and walks of a certain 
length as encryption tools. We study the quality of such an encryption 
in case of graphs of high girth by comparing the probability to guess the 
message (vertex) at random with the probability to break the key, i.e. 
to guess the encoding walk. In fact the quality is good for graphs which 
are close to the Erdos bound, defined by the Even Cycle Theorem. 

We construct special linguistic graphs of affine type whose vertices (mes- 
sages) and walks (encoding tools) could be both naturally identified with 
vectors over GF{q), and neighbors of the vertex defined by a system of 
linear equations. For them the computation of walks has a strong simi- 
larity with the classical scheme of linear coding. The algorithm has been 
implemented and tested. 

Keywords: cryptography, constructive combinatorics, data communi- 
cation, networks, security, privacy, e-commerce, virtual campus. 



1 Introduction 

The current work is motivated by security concerns on transmitting data 
across a University of the South Pacific (USP) intranet, called USPNet, 
(http://www.usp.ac.fj) designed and implemented to cater for a distance mode 
tele-education and associated administration - as an e-commerce application. 
USPNet is expected to facilitate teaching by making education accessible to 
and helping remove the ’tyranny of distance’ between the twelve geographically 
remotely distributed member countries of the USP. 

We have developed a prototype for CRYPTIM, a system to encrypt text and 
image data for transmission over the USPNet. The prototype is being used for 
investigation, evaluation and demonstration of the potential of a new encryption 
scheme. It has been implemented as a software package and trialled with the 
USPNet intranet. 

2 Cryptosystem Requirements 

Assume that an unencrypted message, plaintext, which can be text or image 
data, is a string of bits. It is to be transformed into an encrypted string or ci- 
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phertext, by means of a cryptographic algorithm and a key. So that the recipient 
can read the message, encryption must be invertible. 

Conventional wisdom holds that in order to defy easy decryption, a crypto- 
graphic algorithm should produce seeming chaos: that is, ciphertext should look 
and test random. In theory an eavesdropper should not be able to determine any 
significant information from an intercepted ciphertext. Broadly speaking, attacks 
to a cryptosystem fall into 2 categories: passive attacks, in which adversary mon- 
itors the communication channel and active attacks, in which the adversary may 
transmit messages to obtain information (e.g. ciphertext of chosen plaintext). 

Passive attacks are easier to mount, but yields less. Attackers hope to de- 
termine the plaintext from the ciphertext they capture; an even more successful 
attacks will determine the key and thus comprise the whole set of messages. 

An assumption first codified by Kerckhoffs in the nineteen century is that the 
algorithm is known and the security of algorithm rests entirely on the security 
of the key. 

Cryptographers have been improving their algorithms to resist the following 
list of increasingly aggressive attacks: 

i) . ciphertext only - the adversary has access to the encrypted communications; 

ii) . known plaintext - the adversary has some plaintext and its corresponding 

ciphertext; 

iii) . chosen text - the adversary chooses the plaintext to be encrypted or the 

adversary picks the ciphertext to be decrypted (chosen ciphertext) or adver- 
sary chooses the plaintext to be encrypted depending on ciphertext received 

from previous requests (adaptive chosen plaintext). 

Chosen-text attacks are largely used to simplify analysis of a cryptosystem. 

In our system, we have considered a symmetric approach based on [8], [9] and 
[II] . It gives the method to develop a family of optimal algorithms, which are able 
to work efficiently with long keys and long messages. They have theoretically, 
a universal flexibility in the sense of sizes of the text and the key. Some of 
them are variations of one time pad algorithms, but others are “multi time 
pad” algorithms and can be even resistant to attacks of type (ii). Within the 
framework of the project “CRYPTIM” (abbreviation for enCRYPtion of Text 
and Image data), and supported by the USP Research Committee, algorithms 
have been implemented for usage in USPNet. Through this work, we are testing 
the resistance of the “multi time pad” algorithm to attacks of type (iii) and 
present the first results from such tests. 



3 Walks on Graphs of Large Girth as Encoding Tools 

One of the classical models of the procedure for encoding data is to present 
the information to be sent as a variety of n-tuples over the finite Galois held 
GF{q). We have to “encode” our message x by taking an affine transformation 
y = Ax + b, where A is a certain matrix and b is another n-tuple. 
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Our proposal is based on the combinatorial method of construction of linear 
and nonlinear codes, which has a certain similarity with the classical scheme 
above. 

Let O be a /c-regular graph and V (F) is the set of its vertices. Let us refer to 
the sequence p = (vi,V 2 , ■ ■ ■ ,Vn), where Vi G V(r) , Vi ^ Ui+ 2 , i = 1, • • • ,u„_ 2 , 
and ViFvi+i, i = 1, ■ ■ ■ ,n — 1 , and Wp = as encoding sequence and encoded 
vertex of u = ?;i. Clearly for u = Vp there is sequence p, of length s such that 
Up = V. We refer to /x as decoding sequence for Vp and write p = p~^. 

In the case of vertex transitive graphs set of all encoding sequences of cer- 
tain length starting from the chosen vertex vq may be considered as the set of 
possible keys. To apply the key p from this set to the vertex v means taking the 
last vertex of walk p^ where g is the graph automorphism moving vq to v. In 
case of parallelotopic graphs defined below there exists a combinatorial way of 
description keys in a uniform way, which does not depend on starting vertex (or 
message) . 

The girth g = g{F) of a graph F is the length of the shortest cycle in the 
graph. 

If the length of the encoding sequence p of the fc-regular graph F of girth 
g = g{F) is less then g, then Vp ^ v for any vertex v. 

If one knows the length t < g/2 of the decoding sequence the probability 
of generating the correct message applying the encoding sequence at random is 
l/(fc(fc — 1)*“^). In this case the algorithm is k{k — 1)* secure. We will use the 
term graph encryption scheme for the pair (T, t). It is reasonable to consider the 
following class of parallelotopic graphs. 

Let T be a bipartite graph with partition sets i = 1,2 (inputs and outputs) 

. Let M be a disjoint union of finite sets Mi and M 2 - We say that P is a bipartite 
parallelotopic graph over (Mi , M 2 ) if there exists a function tt : V (F) — >■ M such 
that if p G Pi, then 7r(p) G Mi and for every pair (p,j), p G Pi, j G Mi, there is 
a unique neighbour u with given 7 t(m) = j. 

It is clear that the bipartite parallelotopic graph P is a (|Mi|, IM 2 I) - biregular 
graph. 

So parallelotopic graph is just bipartite graph with special colourings for 
inputs outputs into |Mi| and M 2 colours, respectively, such that for each vertex 
there exists a unique neighbour of the any given colour. 

We refer also to the function tt in the definition of bipartite parallelotopic 
graph also as a labelling. We will often omit the term “bipartite”, because all 
our graphs are bipartite. In case of encryption scheme of bipartite graph we will 
use one of the partition set (inputs) as the textspace. 

Linguistic graphs: 

Let M* be the Cartesian product of t copies of the set M. We say that the 
graph T is a linguistic graph over the set M with parameters m,k,r,s if 

T is a bipartite parallelotopic graph over (Vi, V 2 )) Mi = M”, M 2 = M® with 
the set of points I = M™ (inputs) and set of lines O = M^ (outputs), (i.e. M™ 
and M* are the partition sets of F). It is clear that m -I- r = A: -I- s. 
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We use the term linguistic coding scheme for a pair (T, n), where T is lin- 
guistic graph and n < g is the length of encoding sequences. 

We choose a bipartite graph in the definition above because regular trees are 
infinite bipartite graphs and many biregular finite graphs of high girth can be 
obtained as their quotients {homomorphic images). 

Using linguistic graphs our messages and coding tools are words over the 
alphabet M and we can use the usual matching between real information and 
vertices of our graph. In case of M = GF{g) the similarity with the linear coding 
is stronger, because of our messages and keys are tuples over the GF{q). 

4 Absolutely Optimal Schemes 
from Graphs of Large Girth 

One time pads, whose keys and strings of random bits at least as long as a 
message itself, achieve the seeming impossibility: an eavesdropper is not able 
to determine any significant information from an intersected ciphertext. The 
simplest classical example: if pi is the f-th bit of the plaintext, ki is the t-th bit 
of the key, and Ci is the first bit of the ciphertext, then Ci = pi + ki, where -I- 
is exclusive or, often written XOR, and is simply addition modulo 2. One time 
pads must be used exactly once: if a key is ever reused, the system becomes 
highly vulnerable. 

It is clear that encryption scheme above is irresistible to attacks of type (ii) . 

Families of one time pads can be constructed for the case, when the key 
space and the message space have the same magnitude. For theoretical studies 
of cryptographic properties of graph F we will always look at encryption scheme 
(r, t) , where t = [g/2] and g is the girth of F. 

Let Fi be an absolutely optimal family of graphs, i.e. family of graphs such 
that the ratio Pkey(*)/Pmes(*) of probabilities pkey(*) and Pmes(*) to guess the 
encoding sequence and to guess the message in the scheme {Fi,ti), respectively, 
goes to 1 when i is growing. 

The constructions of absolutely optimal families of schemes of high girth of 
increasing degree are connected with studies of some well-known problems in 
Extremal Graph Theory (see [2]). Let ex{v,n) be, as usual, the greatest number 
of edges (size) in a graph on v vertices, which contains no cycles C 3 , G4, . . ., C„. 

From Erdos’ Even Cycle Theorem and its modifications [2] it follows that 

ex{v,2k) <Gv^+^^'^ 1 

where C is a positive constant. 

It is easy to see that the magnitude of the extremal family of regular graphs 
of given girth and of unbounded degree have to be on the Erdos upper bound 
(2.1). This bound is known to be sharp precisely when fc = 2, 3, and 5. Thus the 
problem of constructing absolutely optimal families of high girth is a difficult 
one. It has been shown in [10] that the incidence graphs of simple groups of Lie 
type of rank 2 can be used as absolutely optimal encryption schemes with certain 
resistance to attacks of kind (i), examples of families of absolutely optimal coding 
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schemes of parallelotopic graphs of girth 6, 8, 12 have been considered. Let us 
look at some of them. 

Example 1 

Let P={{xi,x2,x:i,x4,,x^)\xi G GF{q)}, L = {[j/i,2/2,j/3,y4,2/5]l2/i G GF{q)}. 
Let us define a bipartite graph I as: (a, b, c, d, e)I[x, y, z, u, w] if and only if 
y — b = xa 
z — 2c = —2xb 
u — 3d = —3xc 
2v — 3e = 3zb — 3yc — ua 

Input (a, b, c, d, e) and output [x, y, z, u, u] are connected by edge in graph / 
iff the conditions above hold. 

From the equations above, it follows that tt : 7t((xi, X2, X3, X4, X5)) = xi and 
2/2, J/3, 2/4, J/s]) = J/i is a labelling for the parallelotopic graph I. 

It can be shown that for charGF’(q) > 3 the girth of this graph is at least 12 . 
Directly from the equations above we can get that / defines the linguistic coding 
scheme with parameters ( 1 , 1 , 5 , 5 ) of affine type over GF{q). It is clear that in 
case of encoding tuples of length 5 we get pkey = l/<z('Z — 1 )^) Pmes = 1 /?^ and 
/ = h{q) is an absolutely optimal family of linguistic graphs. 

Example 2 

Let GF{q^) be the quadratic extension of GF{q) and x ^ x’^he the Frobenius 
automorphism of GF{q^). Let P = {(xi, X2, X3)|xi G GF{q),X2 G GF{q^),xz G 
GF{q)}, L = {[2/1, 2/2, 2/3] 1 2/1 G GF{q^),y2 G GF{q‘^),y3 G GF{q)}. Let us define 
the bipartite graph I = Is^q) as: (a, b, c)/[x, y, z] if and only if 
y — b = xa 
z — c = ay + ay'^. 

It is clear that rules 7 t((xi, X 2, X3)) = Xi and 7 r( [2/1, 2/21 2/3]) = 2 /i define the 
parallelotopic scheme of affine type over the GF{q) (but not over the GF{q^)). 
Its parameters are ( 1 , 2 , 4 , 5 ). It can be shown that the girth of / = Iz{q) is at 
least 8. It is easy to check that /3(g) is a family of linguistic absolutely optimal 
graphs. 

Example 1 gives us families of graphs with sizes on the Erdos bound, and 
Example 2 gives examples of graphs with the sizes on the similar bound for bireg- 
ular graphs of given degree. Both examples above are special induced subgraphs 
in the incidence graph of geometries finite simple groups of Lie type of rank 
2 , which are also form a families of absolutely optimal graphs. Such incidence 
geometries are not even a parallelotopic graphs, but there is an effective way to 
compute walks, based on the possibility of embedding of geometry into related 
Lie algebra [ 10 ]. 

For known absolutely optimal schemes of high girth with the resistance to 
attacks of type (ii) girth is < 16 . The problem of breaking the key is equivalent 
to solution of the system of nonlinear equations of degree d{g) depending on the 
girth g. Absolutely optimal schemes of this kind can be used as blocks of larger 
coding schemes. 
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5 Optimal Schemes of Unbounded Girth 

It is known that one time pads are impractical because in real life we need to 
deal with large amounts of information. A reasonable strategy is to consider 
the weaker requirement then equality of dimensions dkey of key space and di- 
mension dpt of plain text space. Let us consider the family of graphs U of 
increasing girth gt such that for corresponding coding scheme (Ujf = [ffi/2]) 
lim(p(z)key)'^/p(*)rnes = 1 , z oo where c is the constant which does not depend 
on z. 

In this situation we say that the schemes of U form an optimal family of 
schemes. It is easy to check that in case of the optimal family of schemes corre- 
sponding to graphs of degree li and unbounded girth g^ we have 

> 7logi._i(ud 2 

The last formula means that U, i = 1, . . . form an infinite family of graphs 
of large girth in the sense of N. Biggs [1]. 

A few examples of such families are known (see [1] and [ 6 ]). 

We have 7 < 2, because of (1), but no family has been found for which 
7 = 2. Bigger 7 s correspond to more secure coding schemes. A. Lubotzky (see 
[7]) conjectured that 7 < 4/3. 

6 Folders 

In practice for the encryption of large data by graph schemes (T, t) we need to 
lift the requirement that sizes of key space and text space are “close” , t can be 
much smaller than half of girth F. 

For the purpose of convenient encoding by graphs of ’’potentially infinite” 
text over a finite alphabet (like the External alphabet of a Turing machine), 
we need an infinite family of parallelotopic graphs of increasing girth, with a 
hereditary property: we can add a new part of text, and encode the entire text 
in a larger graph in such a way that the encoding of the initial part will be the 
same. This leads to the idea of a folder of parallelotopic graphs. 

A surjective homomorphism g \ Fi ^ F^ oi bipartite parallelotopic graphs 
Fi- z = 1 , 2 with labelings tti and 7 T 2 , respectively, such that tt 2 (j]{v)) = 7 ri(u) is 
referred to as parallelotopic morphism of graphs. 

A folder E is a family Fj, j = 1,2, .. . of graphs and homomorphisms tij 
satisfying the following properties. 

(Pi) The Fi are parallelotopic (or bipartite parallelotopic) graphs over a finite 
set M with local labellings denoted by tt. 

(P 2 ) For any pair i,j of positive integers, i > j, there is a parallelotopic 
morphism Uj from Fi to Fj. 

{P 3 ) U,j o tj,k = ti,k for i > j > k (commutative properties) 

Let us assume the existence of the projective limit F of Pj. We refer to P as 
the cover of folder P^. 
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If _r is a forest we refer to the folder as a free parallelotopic folder. It is 
clear that in this case the Fi, i = 1, . . . form an infinite family of graphs of 
unbounded girth. There is a canonical parallelotopic morphism F : F ^ Fi. If T 
is a connected component of the forest F then FiT) is a connected component 
of ti{F) and family F{T) is a free folder with the cover T. 

Remark. 

Let Fi be a free folder over the GF{q) , where the cover T is a g-regular 
tree. We could construct the “Theory of Ti-codes” in which the distance in 
the graph Fi would play the role of a Hamming metric in the classical case of 
linear codes. Of course, the Hamming metric is distance-transitive, i.e., for each 
k the automorphism group acts transitively on pairs of vectors at a distance k. 
The distance in the graph Fi may not be distance transitive, but we have an 
“asymptotical” distance transitivity, because of the distance transitivity of the 
tree F and the fact that lim(Ti) = F. 

The following statements justify the definition of folders. 

Theorem 1 (see [9]) There exists a free folder of fc-regular parallelotopic graphs 
for any k > 2. 

Theorem 2 (see [9]) There exists a free folder of g-regular linguistic graphs of 
affine type over GF{q) for any prime power q > 2. 

In fact. Theorem I follows from Theorem 2 because we may always consider 
k -regular induced parallelotopic subraphs defined by tt{v) € K, \K\ = k < q of 
the linguistic graph over GF{q). 

Explicit constructions of folders satisfying requirements of Theorem 2 will be 
presented in the next section. 

7 Concluding Remarks 

Explicit constructions of an optimal folders of linguistic graphs over the M = 
GF{q) with good complexity of computation of walks had been considered in 

[9]. 

We are exploring one of them, which is the free folder of g-regular linguistic 
graphs Ln{q) such that input (xi,X 2 , • ■ . , a:„) = (cc) and output [yi, j/ 2 ; ■ • • > Un] = 
[j/] are neighbors if Xi — yi = Xi^(^i)ys(^i) for 2 < i < n, where k{i) < i, s{i) < i 
and n can be any number, tt{x) = xi, 7r([?/] = yi. 

Extremal properties of this family the reader can find in [6] . 

In fact the parallelotopic morphism of Ln{q) onto Lm{q), n > m induced by 
canonical projecture of n-dimensional vector space onto m-dimensional. Each 
graph Ln{q) is similar to the graph from Example 1 above. 

Of course we are not computing the adjacency matrix, but have two affine 
operators N{a, (x)) and fV(a, [y]) - compute the neighbour of (x) and [j/] with 
the first component a. 

Let us compare our encryption with the following popular scheme of linear 
encryption: 

We treat our message as a polynomial f{x) over GF{q) (our tuple is an array 
of coefficients of f{x)). The linear coding procedure is just a multiplication of our 
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f{x) of degree n — 1 by a polynomial g{x), deg{g{x)) = t,t > 0. Thus, y is just an 
array of coefficients of the polynomial F{x) = f{x)g{x), m = deg F{x) = n+t—1. 

It is clear that this symmetric encoding is irresistible to attacks of type (ii) 
and sizes of plaintext and ciphertext are different. Counting of operation in case 
of equal dimensions of the plaintext and the ciphertext for the classical scheme 
as above and our scheme corresponding to Ln{q) where g is a prime shows that 
our encryption is faster. 

We are exploring a straightforward approach to look at what kind of finite 
automaton (roughly graph) we need for encryption. 

The development of prototype CRYPTIM allows us to test the resistance of 
the algorithm above to attacks of different time. Our initial results from such 
tests show that the results are encouraging ([4]). Let us consider, for example, 
case of p = 127 (size of ASCII alphabet minus “delete” character). Let t{k, 1) be 
time (in seconds) we need to encrypt (or decrypt because of symmetry) file, size 
of which is k kilobites with password of length 1 ( key space roughly 2^*)) by a 
Pentium II. Then some values oit(k,l) can be presented by the following matrix 



k\ 1 


9 13 17 2115 


1 


1112 2 


2 


2 3 3 4 4 


3 


4 6 8 9 11 


4 


16 16 23 30 33 


5 


22 27 35 44 52 


6 


38 54 64 88 105 



The proposed algorithm is robust and compares well with the performance 
of some existing algorithms, at least in case of Ln{q) over the prime q. 
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Abstract. An algorithm for calculating a set of generators of repre- 
sentative 2-cocycles on semidirect product of finite abelian groups is 
constructed, in light of the theory over cocyclic matrices developed by 
Horadam and de Launey in [7,8]. The method involves some homolog- 
ical perturbation techniques [3,1], in the homological correspondent to 
the work which Grabmeier and Lambe described in ]12] from the view- 
point of cohomology. Examples of explicit computations over all dihedral 
groups Dit are given, with aid of Mathematica. 



1 Introduction 

Let G be a group, U a trivial G-module. Functions tp: G x G ^ U which satisfy 
ip{a,b)'tp{ab,c) = 'tp{b,c)tp{a,bc), a,b,c £ G are called 2-cocycles [19]. A cocycle 
is a coboundary Sa if it is derived from a set mapping a: G ^ U having a(l) = 1 
by 6a{a,b) = a{a)~^a{b)~^a{ab). For each G and U, the set of cocycles forms 
an abelian group Z‘^{G, U) under pointwise multiplication, and the coboundaries 
form a subgroup B‘^{G,U). Two cocycles ip and ip' are cohomologous if there 
exists a coboundary 5a such that ip' = ip ■ 5a. Cohomology is an equivalence 
relation and the cohomology class of ip is denoted [ip]. It follows that the quo- 
tient group Z‘^{G,U)/B‘^{G,U) consisting of the cohomology classes, forms an 
abelian group H^{G, U), which is known as the second cohomology group of G 
with coefficients in U. For each n > 0 one may define the cocycle analogous 
in dimension n (n-cocycle). In spite of the important role played by cocycles in 
Algebraic Topology, Representation Theory and Quantum Systems, the problem 
of explicitly determining a full representative set of n-cocycles for given G and 
U does not appear to have been traditionally studied by cohomologists, at least, 
till the last decade. 

A 2-cocycle ip is naturally displayed as a cocyclic matrix (associated to ip, 
developed over G); that is, a |G| x |G| square matrix whose rows and columns 
are indexed by the elements of G (under some fixed ordering) and whose entry 

* All authors are partially supported by the PAICYT research project FQM-296 from 
Junta de Andalucia and the DGESIC research project PB98-1621-C02-02 from 
Education and Science Ministry (Spain). 
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in position (g,h) is 'tjj{g,h). This notion was fruitfully used by Horadam and 
de Launey [6,7,15] proving some interesting connections between combinatorial 
design theory and 2-cocycles, as well as connections between coding theory and 
2-cocycles. It is also apparent that cocyclic matrices, associated with cocycles 
with coefficients in K2 = {—1,1}, account for large classes of so-called Hadamard 
matrices [8], and may consequently provide an uniform approach to the famous 
Hadamard conjecture. 

These facts have yield that over the past decade considerable effort has 
been devoted to computations of cocycles and cocyclic matrices. Using clas- 
sical methods involving the Universal Coefficient Theorem, Schur multipliers, 
inflation and transgression, two algorithms for finding 2-cocycles representing 
2-dimensional cohomology classes can be worked out. The first one [7,8] applies 
to an abelian group G and the second [10] over groups G for which the word 
problem is solvable. 

Horadam and de Launey’s method is based on an explicit version of the well- 
known Universal Coefficient Theorem, which provides a decomposition of the 
second cohomology group into the direct sum of two summands, 

H^{G,U) ^ Ext{G /\G,G],U) ® Hom{H 2 {G),U). 

These connections make possible the translation of cocyclic development onto a 
(co)homological framework. 

This link becomes stronger noting the “Bar construction” [19] related to G. 
It is a DG-module, which consists of the Z-modules 

Mo(G)=Z, M„(G) =< [51 , . . . ,5m] : 5i € G, 1 < i < m >, 
and differential d, 

5l(bl]) = 0) 9m+l([5l, . . . ,5m-Hl]) = (-l)™’^^([ffl,---5m]) + 

m 

T([ff2) • ■ • J gm+l]) + ^ ^ (~^) ([5I) ■ • ■ ) gigi+li • ■ • > gm+l\)- 

i=l 

The quotient Ker{dm) / Im{dm+i) is known to be the integral homology 
group of G, Hm{G). Let i?2(G) denote the quotient M 2 {G) / Im{d^) U H 2 {G). 

Taking into account what 9s means, it is readily checked that the map 

(j ) : Z^{G, K 2 ) Hom{R 2 {G), K 2 ) 

h I— >■ (j>{h) 

such that 

j ^ X^a,b)(o,ib) + 1771 ( 82 ) 1 = 

\{a,b)eGxG / {a,b)eGxG 

defines an isomorphism between the set of 2-cocycles and Hom{R 2 {G), K 2 ) [7]. 
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The problem of computing a set of generators for 2-cocycles hence translates 
to the problem of determining a set of coboundary, symmetric and commutator 
generators, such that 

Z^{G, K 2 ) = B^{G, K 2 ) © Extz{G/[G, G], K 2 ) © Hom{H2{G),K2). 

A minimal set for symmetric generators may be calculated from a primary 
invariant decomposition of G/[G,G\ = Hx{G), as a Kronecker product of back 
negacyclic matrices [7]. A minimal set for coboundary generators is derived from 
the multiplication table of G by means of linear algebra manipulations. But 
it is far from clear how to get a minimal set for commutator generators, in 
general. One should try to compute the second homology group of G by means 
of (1^2,82,83). Indeed, 82 is not needed for finite groups G, since H2{G) is a 
direct sum of finite cyclic groups as it is the case. This procedure is not suitable 
in practice, since matrices involved are large in most cases. 

On the other hand, Flannery calculates these summands as the images of cer- 
tain embeddings which are complementary, called inflation and transgression. 
Calculation of representative 2-cocycles associated to Ext{G/[G,G\,U) (infla- 
tion) is canonical. However, calculation of a complement of the image by the 
embeddings of inflation in H^{G, U) as the image of transgression is not canon- 
ical, anyway. As a matter of fact, it depends on the choice of a Schur comple- 
ment. This is a potential source of difficulties in computation of representative 
2-cocycles associated with elements of Efom{H2{G), U). This method has already 
been implemented in [11], using the symbolic computational system MAGMA. 

Using a far different approach, Grabmeier and Lambe present in [12] alternate 
methods for calculating representative 2-cocycles for all finite p-groups from 
the point of view of Homological Perturbation Theory [13,14,20]. The computer 
algebra system Axiom has been used in order to make calculations in practice. 

Here we present a method for explicitly determining a full set of representa- 
tive 2-cocycles for the elements of the second cohomology group H^{G, Z) where 
G is Zr Zg. All general statements given in this paper are applicable to any 
semidirect product of finite abelian groups, but for simplicity in the exposition, 
for this class, only the case Z^ Zg will be presented. 

Our method could be seen as a mixture of both the algorithms given by 
Flannery in [10] and Grabmeier-Lambe in [12]. Indeed, we compute representa- 
tive 2-cocycles proceeding from Hom{El2{1‘r x^Zg),K 2 ). This alternate method 
is based on some Homological Perturbation techniques developed in the work 
of authors [3,1] on the determination of “homological models” (those differential 
graded modules hG with Hn{G) = Hn{hG), see [4] for instance), for semidirect 
products of finite abelian groups with group action. The algorithm is straight- 
forward enough to be programmed in any computer algebra system, as we have 
done in Mathematica[2]. 

The main steps are to define functions and E : M 2 (Zr x^ Zg) — >■ V 2 and 
di : Vi ^ Vi-i, where Vi are certain “perturbed” simple algebras. These will 
be defined in such a way that for any representative 2-cycle 2 ; in the quotient 
ker(i 2 /Inic? 3 , the elevation of z through F will define a representative 2-cocycle. 
This is the homology analogous to the work of Grabmeier-Lambe in [12]. 
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It should be noted that explicit formulae for representative 2 -cocycles of 
Zs,Z2) are given in [ 21 ]. The approach explained in this paper covers 
the more general case of any semidirect product of finite abelian groups. 

Similar algorithms may be considered to reach many other settings, progress- 
ing from any finite group with known homological model. 

2 The Algorithm 

Let Zj. Zs be a semidirect product, y a group action such that 

(ai,&i) • (02,62) = (oi -I- x(6i,02),6i -I- 62), 01,02 G Z^, 61,62 G Z^. 

Let consider the following auxiliary sets 

V2 = Z[x^,a;y,y^], V3 = Z[x^ ,x'^y,xy'^ ,y^], 

B 2 = {[n,m] 0 [] : 1 < n, m < r} U {[n] ® [to] : 1 < n < r, 1 < to < s}U 
U{[] 0 [n,TO.] : 1 < n,TO < s}, 

B 3 = {[n, TO, fc] 0 [] : 1 < n, TO, fc < r}U{[n, to] 0 [fc] : 1 < n, to < r, 1 < fc < s}U 
U{[n] 0 [to, k] : 1 < n < r, 1 < to, /c < s} U {[] 0 [n, to, /c] : 1 < n,m,k < s}. 

We will define Z-linear functions (73 : V3 — >■ B3, fi : Bi ^ Vi for i = 2 , 3 , 
(f>2 '■ B2 — >■ i?3, P3 '■ B3 — >■ i?2, d,3 : V3 ^ V2 and /oo : B2 — >■ V2. Let 



= ([1.1,1] H H [l.r- 1,1]) 0 [], 

93i.x^y) = ([1, 1] H h [1, r - 1]) (g) [1], 

93i.xy'^) = [1] ® ([1, 1] H h [1, s - 1]), 

93{y^) = [] ® ([1, 1, 1] H H [l.r - 1, 1]) 

/ 2 ([n, to] (g) []) = a:^, if n -I- to > r, 

/ 2 ([n] (g) [to]) = {nm)xy, 

/ 2 ([] (g> [n,m]) = y“^, if n + m> s, 

/ 3 ([n, TO, fc] (g) []) = kx^, if n + m > r, 

/ 3 ([n, to] (g) [A:]) = kx^y, if n + m> r, 

/ 3 ([n] (g) [to, k]) = nxy'^, if m + k > s, 

/3([] (g) [n, TO, k]) = ky^, if n + m > s, 



4>2{[n,m] (g) []) = -([1, 1 ,to] -I [l.n - 1 ,to[) (g) [] 

<t> 2 {[n] (g) [to]) = -([1, 1] -I [l,n - 1]) (g) [to] -I- [n] (g) ([1, 1] H [1 ,to - 1]), 

02([] (g) [n,TO]) = -[] (g) ([1, 1 ,to] -I [l.n - 1 ,to]) 



P 3 {[n,m] ® [k]) = [x{k,n),x{k,m)] (g) [] - [n,TO,] (g) [], 
Ps(N ® [ 1 x 1 , k]) = [n] (g) [k] - [x(to, n)] (g) [k], 

Dsix'^y) = rxy, 

Dsixy'^) = -sxy. 
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These morphisms are understood to be zero otherwise. Let define 
d^ = D^ + / 2 P 353 — /2P3</'2P3ff3 + /2(P3</'2)^P353 ~ ‘ ‘ ‘ > 
and /oo : ^2 V 2 , 



/oo = /2 — /2P3</'2 + f2{pd.4>2)'^ — • ’ ’ 

Geometric series of these types converge to define a map, as it is proved in the 
more general setting of generalized semidirect products of finite abelian groups 
in [1]. The fact is that p* decreases the dimension on the second component, and 
(/)* either increments the dimension only on the first component or decreases the 
value of the element in the second component. Hence the composition 
becomes nilpotent. 

Notice that the sets Bi defined above consist of the products 

Bi = ® 

0<j<i 



There is a connecting map F 2 : M 2 (Z^ Z^) — >■ B 2 , so that 

F2[(oi, &i), (02, 62)] = []G)[62, ^i]+2[x(62, a2)]^[bi]+2[x{b2, ^2)) x(^2^i; Oi)]G)[] — 
-[x{b2bib2,a2),x{b2bib2bi,ai)] 0 [] - [x(^2&2,02)] ® [bi]. 

Theorem 1. Assume the notation above. 

1. H2{Zr Zg) = ^2(^2), which is computed from d^. 

2. The map F = /oo o F2 : M2(Zr x^ Zg) — >■ V2 induces an isomorphism in 

homology, such that for any z G i?2(V2) the elevation of z through F defines 

a cocyclic matrix over Z^. 

In [1] the authors find a homological model for semidirect products of finite 
abelian groups. In particular, attending to the groups Z^ x^Zg, it is proved that 
H2{M2{Zj. x^ Zg) = H2{V2). Moreover F is shown to induce an isomorphism in 
homology. 

Nevertheless the formula for F is not explicitly given there, since it is compli- 
cated to give an explicit formula for /oo in the general case of semidirect products 
of groups. 

It is a remarkable fact that for every finite group G, i? 2 (G) is a finite abelian 
group [5]. This way, it is only needed d^ in order to compute H 2 {V 2 ) by means 
of Veblen’s algorithm [22] . 

This process consists in calculating the integer Smith normal form D of 
the matrix M representing with regards to basis B = {x^,x‘^y,xy,y^} and 
B' = {x^,xy,y‘^}. 

Let U = {mi, M 2 , M 3 , U 4 } and V = {vi,V 2 ,vs} define these change basis, such 
that Dyy = PM^^b'Q, for appropriated change basis matrices P and Q. 

Now we explain what we mean with “elevate z through F” . 
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We want to determine all cocyclic matrices over Z^. Z^. That is, all rep- 

resentative 2-cocycles of Z^ Zg. Thus it suffices to calculate which x in 
iW 2 (Zr x^ Zg) are shown to give non trivial homological information in 

For each generator 2 in ^^ 2 (^ 2 )) the elevation of z through F relates to the 
set of elements in M 2 (Zr x^ Zg) which projects onto z with 2-homological in- 
formation. This can be achieved in two single elevations: one from V 2 to B 2 , the 
other from B 2 to M 2 (Zj. x^ Zg). 

^From the theorem above, an algorithm for calculating representative 2- 
cocycles may be derived in a straightforward manner. 

Notice that map F should be called the universal 2-cochain, following Grab- 
meier-Lambe’s notation in [12]. 

Algorithm 1 Input Data: a semidirect product Z^ x^ Zg. 

Step 1 . Compute da : V 3 — >■ V 2 , the differential of the homological model of 
Zr Xp^ Zg in dimension 3. 

Step 2 . Compute id 2 (^r ><x representative cycles from da. 

Step 3. Elevate the representative cycles from id 2 (^r ><x M 2 (Zr x^ Zg) 

via F. 

Output Data: Set of commutator generators for a basis of cocyclic matrices 
over Zr X Zg. 

It should be taken into account that Step 2 often requires to compute the 
Smith normal form of the matrix corresponding to da, which is always of size 
4x3, independently of indexes r and s of the factors. This is the fundamental 
improvement in the calculus of the commutator generators, since the size of 
matrices which arises from the complex depends on the order of the 

group (the matrix corresponding to operator 9a is of size (rs)^ x (rs)^ for the 
semidirect product Z^. x^ Zg). 

It may be possible to extend the Theorem 1 and its associated algorithm 
to other certain families of groups, with homological models already known, 
such as central extensions [18], finitely generated torsion free nilpotent groups 
[16], metacyclic groups [17] and many others. It is only needed to find explicit 
formulae for the analogous of maps F 2 and F. 



3 An Example: Dihedral Groups D2t 2 

In this section we apply Algorithm 1 in the particular case of dihedral groups. 
A Mathematica program is used, which authors provide in [2]. 

It should be noted that dihedral groups Dt -2 for odd values of t do not provide 
2-homological information, since H 2 {Dt. 2 ) is known to be zero in this case. 

Let D 2 f 2 = {(0, 0), (1, 0), . . . , (2t - 1, 0), (1, 1), . . . , (2t - 1, 1)}, 



X( 0 ,n) = n. 



X(l,n) = 2t-n, 



Vn G Z 2 t 
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An explicit formula for F can be worked out for these groups, so that if we 
define A : x — >• Z2, k> 2 , as A[a;, y] = lifx + y>k and 0 otherwise, it is 

readily checked that 

F[{ai,bi),{a2,b2)] = + 26ix(&2, a2)xy + 26i(x(&2, 02 ) - l)x^+ 

+2A[x(& 2, 02), x(^2&i, ai)]a;^ - A[x(6i, 02), ai]a;^ - 0261x1/ - 61(02 - l)x^. 

Let consider the cases t = 1 , D2.2 = {(0, 0), (1, 0), (0, 1), (1, 1)}, 
t = 2, Di.2 = {(0, 0), (1, 0), (2, 0), (3, 0), (0, 1), (1, 1), (2, 1), (3, 1)}, 
and t = 6, D^2-2 = {(0, 0), (1, 0), . . . , (11, 0), (0, 1), (1, 1), . . . , (11, 1)}. 

Step 1. Compute ^3. 



d{Vz) 


t = 1 


t = 2 


t = 6 




0 


0 


0 


x^y 


2xy 


2x^ -1- 4x1/ 


lOx^ -1- 12x1/ 


xy^ 


-2xy 


— 2x^ — 4x1/ 


— lOx^ — 12x1/ 




0 


0 


0 



Step 2. Compute H2{D2t-2) and representative cycles from dz- 

In order to compute i?2(-D2i-2) in the cases t = 1,2,6, it is useful 
to calculate the Smith normal form Dt = PtMtQt of the matrix Mt 
associated to dz, with basis change matrices Ft and Qt, respectively. 




Hence, H2{D2t-2) = ^2 for t = 1,2,6 and the representative cycle is the 
first element in the new basis U of Z[V2]- 

In order to translate to the basis B of Z[V2] the homological informa- 
tion which H2{D2t-2) provides, it suffices to select the odd entries of 
each of the columns of Qt corresponding to each representative cycle in 
the basis U (that is, to select which elements of Z[V2] with regards to 
basis B have an odd entry in the position corresponding to a represen- 
tative cycle with coordinates in basis U). The homological information 
is concentrated in elements with coordinates (— ,n, —)b for odd values 
of n in the case t = 1, in elements (n, — , — )g for odd values of n in the 
case t = 2, and in elements (n, m, —)b for n, m of distinct parity in the 
case t = 6. 
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Step 3. Elevate the representative cycles from i? 2 (-D 2 i- 2 ) to M 2 {D 2 t- 2 ) via F. 

It suffices to detect which elements of M 2 {D 2 t- 2 ) are carried out via F to 
elements (— , n, — )g for odd n {t = 1), (n, — , — )g for odd n {t = 2), and 
{n,m, —)b for n, m of distinct parity {t = 6). These elements indicate 
the positions in the \D 2 t- 2 \ x \D 2 t- 2 \ commutator cocyclic generator 
matrix which are not trivial. 

In the case t = I, we obtain the following elements: 



[( 0 , 1 ), ( 1 , 0 )], [( 1 , 1 ), ( 1 , 0 )], [( 0 , 1 ), ( 1 , 1 )], [( 1 , 1 ), ( 1 , 1 )]. 

For t = 2, 

[(1, 0), (3, 0)], [(1, 0), (3, 1)], [(2, 0), (2, 0)], [(2, 0), (3, 0)], [(2, 0), (2, 1)], 

[(2, 0), (3, 1)], [(3, 0), (1, 0)], [(3, 0), (2, 0)], [(3, 0), (3, 0)], [(3, 0), (0, 1)], 

[(3, 0), (2, 1)], [(3, 0), (3, 1)], [(0, 1), (2, 0)], [(0, 1), (2, 1)], [(1, 1), (1, 0)], 

[(1, 1), (2, 0)], [(1, 1), (1, 1)], [(1, 1), (3, 1)], [(2, 1), (1, 0)], [(2, 1), (1, 1)], 

[(3, 1), (1, 0)], [(3, 1), (3, 0)], [(3, 1), (1, 1)], [(3, 1), (3, 1)]. 

In the case t = 6, the elements which are carried out via F to elements 
{n,m,—)B for n,m of distinct parity are those [(oi, 6i), ( 02 , ^ 2 )] such 
that 

bi = 0, ai + 02 > 11; 
or 

61 = 1, Oi < O2. 

Output data: set of commutator generators for a basis of cocyclic matrices 
over D 2 t- 2 , t = 1,2,6. Assuming = 1, we obtain 



t = 1 



Al Al 

Bi 



t = 2 



A 2 A 2 
B 2 B 2 



t = 6 



Ag Ag 

Bq Bq 



where 



Ai = 





r. A K\ 


A 2 = 


/I 1 1 1\ 

1 1 1 a: 


(llj’ 




1 1 KK 








\1 K K K J 



B 2 = 



/I 1 K 1\ 
IK K 1 
I K I 1 
\1 K 1 K J 





1 1 


1 K 




1 1 • 


■■ K K 


Aq — 


1 1 

\l K ■■ 


■ K K 

■ K k) 


) Bq — 


1 1 • 
U 1 • 


•• 1 K 
■■1 l) 



Note that Ag is usually called back negacyclic. 

In general, it may be proved that for t > 2 the computation of i? 2 (A^ 2 i. 2 ) 
reduces to the matrices 

/2 0 0 \ 

000 
0 0 0 
Vo 0 0/ 



Dt = 



and 



Qt — 
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so that i? 2 (^ 2 t- 2 ) = ^2 and the homological information is concentrated in 
elements with coordinates (n, m, —)b for n,m of distinct parity. 

Hence, the set of commutator generators for a basis of cocyclic matrices over 
At 



D 2 t -2 reduces to 



Bt Bt 



, where At is the correspondant back negacyclic 



matrix and Bt consists in the matrix whose rows are the ones of At displayed in 
reverse order. 

It should be noted that the cocyclic matrices over dihedral groups have al- 
ready been found from Flannery’s techniques in [10]. 



Remark 1. The case t = 2 is also studied in [7], where the commutator generator 
is said to be 

/l 1 1 1 1 1 1 1 \ 

11 I B Bl I 1 
I I B B B\ I B 
IB B B BIB B 
11111111 
IB B B BIB B 
I I B B Bl I B 
\1 1 I B Bl I I ) 

with B^ = 1 . 

Both matrices differ in the (Hadamard) product of a coboundary generator 
C and a symmetric generator S , which are 



/I 1 1 1 1 1 1 1 \ 
I A 1 AAA 1 1 
1 1 1 1 H 1 H 1 
I A I A A I I A 
1 1 H 1 1 1 H 1 
1 H 1 1 H 1 1 1 
lAAAAA 1 A 
\lllAAlllJ 



/I 1 1 1 1 1 1 1 \ 
IDIDIDID 
11111111 
IDlDlDlD 
11111111 
IDlDlDlD 
11111111 
\IDIDIDIDJ 



with A = D = —1. 

The matrix C arises from any of the set map ak '■ D 4.2 — >■ K 2 , k G {1, — 1}, 



a(2,0) = -l, a(3,0) = l, 



a(0,0) = l, 
a(0, 1) = k, 



a(l,0) = -l, 
a(l, 1) = fc, 



a(2, 1) = k, 



a(3, 1) = —k. 
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Abstract. New algorithms are described and analysed for solving vari- 
ous problems associated with a large integer matrix: computing the Her- 
mite form, computing a kernel basis, and solving a system of linear dio- 
phantine equations. The algorithms are space-efficient and for certain 
types of input matrices — for example, those arising during the compu- 
tation of class groups and regulators — are faster than previous methods. 
Experiments with a prototype implementation support the running time 
analyses. 

1 Introduction 

Let A G with full row-rank be given. The lattice £(A) is the set of 

all Z-linear combinations of columns of A. This paper describes new algorithms 
for solving the following problems involving C{A): computing the Hermite basis, 
computing a kernel basis, and given an integer vector b, computing a diophantine 
solution X (if one exists) to the linear system Ax = b. 

By Hermite basis of A we mean the unique lower-triangular matrix H G Z”^" 
such that C{H) — C{A) and each off-diagonal entry is nonnegative and strictly 
smaller than the positive diagonal entry in the same row. A kernel for A is an Af G 
^(n-i-fc)xfc tha,t C{N) = {?; G Z"+^ | Av = 0}. The problem of computing H 
and N often occurs as a subproblem of a larger number-theoretic computation, 
and the input matrices arising in these applications often have some special 
properties. The algorithms we give here are designed to be especially efficient 
for an input matrix A G which satisfies the following properties: 

— A is sparse. More precisely, let /r be the number of nonzero entries in A. 

Then /i = for some 0 < e < 1. 

— The dimension k of the kernel is small compared with n. 

— Let I be the smallest index such that the principal {n — l) x {n—l) submatrix 
of the Hermite basis H of C{A) is the identity. Then I is small compared 
with n. 

Sparse input-matrices which satisfy these conditions on k and I are typical 
in computations for computing class groups and regulators of quadratic fields 
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using the algorithm described in [4,7]. The diagonal elements of the Smith form 
of the matrix yield the elementary divisors of the class group (i.e., they give the 
class group as a product of cyclic groups), and the kernel (in the case of real 
quadratic fields) is used to compute the regulator. In practice, the number of 
diagonal elements of the Hermite basis which are not one is rarely larger than 
the rank of the class group. Since class groups are often cyclic or very close to 
being cyclic (as predicted by the Cohen-Lenstra heuristics [1]), I is small as well. 
Thus, the algorithms described in this paper are especially effective for these 
types of input. 

Many algorithms have been proposed for computing the Hermite basis; for a 
survey we refer to [12]. The algorithm proposed in [12] — which is determinis- 
tic and computes a unimodular transformation-matrix, but does not exploit the 
sparsity of A or the fact that I may be small — requires about 0(n^(log ||^||)^) 
bit operations where ||A|| = max^ |A^|. Moreover, that algorithm requires in- 
termediate storage for about 0(n^(log ||A||)) bits. The algorithm we propose 
computes H in an expected number of about 0(^n^(log | |H|) -|-n^(log ||H||)^(?^-|- 
fclog II^ID) bit operations. When A is sparse and k and I are small compared to 
n we essentially obtain an algorithm which requires about 0(n^(log ||H||)^) bit 
operations. Moreover, the algorithm requires intermediate space for only about 
0{n^ log ||H||) bits, for both sparse and dense input matrices. However, in prac- 
tice, when A is sparse the storage requirements are reduced by a factor of two. 



Table 1. Running times: A constant size entries and k < n. 



Section 


Word operations 


Type 


§3 Permutation conditioning 


0{n^) 


LV 


§4 Leading minor computation 


0(^n^(logn)) 


LV 


§5 Lattice conditioning 


0(fcn^(log nY) 


DET 


§6 Kernel basis computation 


0(fc^n'^(logn)^) 


DET 


§7 Hermite basis computation 


0(fcn^(logn)^ -1- l^n^(logn)^) 


DET 


§8 System solving 


0(n^(log nf) 


DET 



For the analyses of our algorithms we assume we are working on a binary 
computer which has words of length w, and if we are working with an input 
matrix A G that oj satisfies 

oj > max (6 -I- log log ((i/n||H||)”) , 1 -|- log(2(n^ -I- n))) . (1) 

Primes in the range 2““^ and 2“ are called wordsize primes. We assume that a 
wordsize prime can be chosen uniformly and randomly at unit cost. Complexity 
results will be given in terms of word operations. For a more thorough discussion 
of this model see the text [13]. 

The computation is divided into a number of phases. The first three phases 
(described in Sections 3, 4 and 5) can be viewed as precomputation. Once these 
are complete, computing a kernel and Hermite basis, as well as solving diophan- 
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tine systems involving A, can be accomplished deterministically in the running 
times indicated in Table 1. 

The first phase - permutation conditioning - is to find a wordsize prime p for 
which A has full row-rank modulo p and permute the columns via a permutation 
matrix P such that the principal n x n submatrix B\ has generic rank-profile: 
B = AP = [i?i|i? 2 ] • The inverse modulo p of B\ is also computed during this 
phase. 

The second phase - leading minor computation - is to compute the determi- 
nant doi Bi. This is the only phase where we exploit the possible sparseness of A 
to get a better asymptotic running-time bound. In practice, we use Wiedemann’s 
algorithm modulo a collection of distinct primes; this is easy to parallelize. 

The third phase - lattice conditioning - is to compute a Q G which 

is used to compress the information from the columns of B 2 with Bi to obtain 
a single n x n matrix B\ + B 2 Q from which the Hermite basis of B can be 
recovered. 

2 Preliminaries 

We recall the notion of a recursive and iterated inverse. Let R be a commutative 
ring with identity. 

Recursive Inverse 

Suppose that A G enjoys the special property that each principal minor is 
invertible over R. The recursive inverse is a data structure that requires space 
for only ring elements but gives us the inverse of all principal minors of A. 
By “gives us” the inverse we mean that we can compute a given inverse x vector 
or vector X inverse product in quadratic time — just as if we had the inverse 
explicitly. 

For i = 1, ... ,n let Ai denote the principal i x i submatrix of A. Let di be 
the i-th diagonal entry of A. For i = 2, . . . ,nlet Ui G and Vi € 

be the submatrices of A comprised of the first i — 1 entries in row i and column 
i, respectively. In other words, for i > I we have 




The recursive inverse of A is the expansion 

A-^ = V„D„U„ ■ ■ ■ V2D2U2ViD,UoDo, (2) 

where Vj, L>i and Ui are n x n matrix defined as follows. For t = 1, 2, . . . , n let 
B, = diag(A-\/„_,) G R"X". Then 

Do 

In-lT 
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and for i > 1 we have 



14 





1 

r 


-Bi^iVi 




Bi = 




1 










^n—i 






'h.i 








Ii-1 








{di - ViUi) ^ 






-Ui 


1 








^n—i _ 








^n—r _ 



The expression (2) for A~^ as the product of structured matrices has some prac- 
tical advantages in addition to giving us the inverse of all principal submatrices. 
Suppose that A is sparse, with 0(n^+^) entries for some 0 < e < 1. Then the 14 
will also be sparse and A~^v or for a given v G can be computed 

in n^/2 + ring operations. 



Iterated Inverse 

Now, let (7 G and V G be given in addition to A. Suppose the 

perturbed matrix A + UV is invertible. The iterated inverse is a data structure 
that gives us {A + UV)~^ but requires only 0{n^k) ring operations to compute 
if we already have the inverse of A. 

For t = 0, 1, 2, ..., /c let C/i and 14 be the submatrices of U and V comprised of 
the principal i columns and rows, respectively. Let Ui and Vi be the t-th column 
and row of U and V, respectively. Note that UiVi is an n x n matrix over R while 
while ViUi is a 1 X 1 matrix over R. For i = 0, 1, . . . , n suppose that {A + UiVi) 
is invertible, and let Bt = {A + UiVi)~^ . Then Bg = A~^ and for t > 0 we have 

B, = {I + uVi)Bi_i where Ui = -1/(1 -b v,Bi_iUi)B,_iu, G R”^4 

The vector Ui can be computed using i?i_i in 0(n^ + ni) ring operations. Thus, 
if we start with Bq, we can compute the iterated inverse expansion 

{A + UV)~^ = {I + UkVk) ■■■{I + U2V2){I + UiVi)A~^ 

in 0{n^k + nk'^) ring operations. Using the iterated inverse, we can compute 
{A + UV)~^u or vA'{A + UV)~^ for a given u G R"xi rising 0{n^ + nk) ring 
operations. Note that for our applications k is typically much smaller than n. 



3 Permutation Conditioning 

Let A G be given. Choose random wordsize primes in succession until a 

prime p is found for which A has full rank modulo p. The rank check is performed 
using gaussian elimination. The lower bound (1) on lo (the word length on the 
computer) ensures such a prime will be found in an expected constant number of 
iterations. Once a good prime is found, we can also compute a, (n + k) x (n+ k) 
permutation matrix P such that each principal submatrix of AP is nonsingular 
modulo p. Let B = AP. Let C be the modulo p recursive inverse of the principal 
n X n submatrix of B. We call the tuple {B,P,C,p) a permutation conditioning 
of A. Producing a permutation conditioning requires an expected number of 
0{n^ + n^(log II^ID) word operations. 
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4 Computation of Leading Minor 

Let (B,P,C,p) be a permutation conditioning of 4 G ^«+(n+fc)^ |.]^g 

principal nxn submatrix of B. Let /x be a bound on the number of nonzero entries 
in Bi and let d = deti?i. For a wordsize prime p, the image d mod p can be 
computed in an expected number of 0(/x(n+ (log ||4||))) word operations using 
the method of Wiedemann [14]. Hadamard’s bound gives [dj < (•yn||4||)”, so if 
we have images for at least [n(log 2 v^l|4||)/(a;— 1)] +1 = 0(n(logn + log ||4||)) 
distinct primes we can compute d using Chinese remaindering. We obtain the 
following. 

Proposition 1. The principal nxn minor of B can he computed using an 
expected number o/ 0(/xn^(log n + log ||4||) + /in(log ||4||)^) word operations. 

Now assume we have computed d = deti?i. Let v G be the n-th column 

of Then the last entry of Bf^dv will be the determinant of the principal 
(n— 1) X (n— 1) submatrix of Bi. The vector Bf^dv is computed in 0(n^(logn + 
log||4||)^) word operations using p-adic lifting as described in [2]. Because we 
have the recursive inverse of B\, we get the following: 

Proposition 2. Let a permutation conditioning (B,P,C,p) together with the 
principal txt minor of B he given, t>l. Then the determinant of the principal 
ft — 1) X ft — 1) minor of B can he computed in 0(n^(logn + log ||4||)^) word 
operations. 



5 Lattice Conditioning 



Let a permutation conditioning {B,P,C,p) of 4 G be given. Write 

B = [Si|i? 2 ] where Si is n x n. Assume d = detSi is also given. Recall that 
det£(S) is the product of diagonal entries in the Hermite basis of B. 

Definition 1. 4 lattice conditioning of B is a tuple {Q, W,c) such that: 

— Q G Z'"^”, 

— gcd(c,pd^) = det£(S) where c = det(Si + B 2 Q), 

— W is the modulo p iterated inverse of Bi + B 2 Q. 



The purpose of a lattice conditioning is to compress the information from the 
extra columns B 2 into the principal n columns. Note that 



Si 1^2 



'In 




[q 


Ik 



Si + S2<5|S2 



where the transforming matrix is unimodular. The condition gcd (c,pd^) = 
det£(S) on c means that we can neglect the columns S 2 when computing 
the Hermite basis of S. Note that the condition gcd(c, d^) = det£(S) would 
also suffice, but using the modulus pd^ ensures that Si + B 2 Q is nonsingular 
modulo p. 

We have the following result, which follows from the theory of modulo d 
computation of the Hermite form described in [3], see also [12, Proposition 5.14]. 
Let {Q, W, c) be a lattice conditioning of S. Then 
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Lemma 1. C {[Bi + B 2 Q\d? l\) = C{B) . 

The algorithm to compute a lattice conditioning is easiest to describe recursively. 
Let B and B 2 be the matrices B and B 2 , respectively, but with the last column 
removed. Assume we have recursively computed a lattice conditioning (Q, W,c) 
for B. Let u be the last column of B. We need to compute a u G such 

that gcd(c,pd^) is minimized, where c = det(i?i + B2Q + UV). Using the iterated 
inverse W, compute u = {Bi + BiQ)~^cu using linear p-adic lifting. This costs 
0(n^(logn + log ||A||)^) word operations. It is easy to derive from elementary 
linear algebra that c = c + vu. We arrive at the problem of computing v such 
that 



gcd(c+ UiMi + V2U2 H VnUn,<f) = gcd(c, Ui , M2 , d^)- (3) 

This problem, the “modulo N extended gcd problem” with N = pd?', is studied 
in [11]. From [6] we know that there exists a v with entries bounded in magnitude 
by 0((log(i)^). We may assume (by induction) the same bound for entries in Q. 
Then ||i?i + B 2 QW = 0(n(log d)^(log ||A||)) and Hadamard’s bound gives that 
max(d,c, ||m||) = 0(n(log n + log ||A||)). 

Lemma 2. A solution v G Z^^" to the modulo pd? extended gcd problem (3) 
which satisfies ||m|| = 0((logd)^) can be computed in 0(n^(log n + log ||A||)^ + 
n^(log n + log II Ajj)^) word operations. 

We obtain the following result. 

Proposition 3. Let a permutation conditioning {B,P,C,p) for A G 
together with the principal nxn minor d of B be given. Suppose that k < n. Then 
a lattice conditioning {Q, IF, c) for {B, P, C,p) which satisfies ||(5|| = 0((log(i)^) 
can be computed in 0(fcn^(logn + log ||A||)^) word operations. 

In practice, the code fragment below will compute a suitable v G Z"^^ and 
c quickly. Correctness is easy to verify. 

c^c; 5 ^ gcd(c,pd^); 
for i from 1 to n do 

v[i\^^Q] gG- gcd{g,u[i]); 

while gcd(c,pd^) g do c ^ c + u[i]] v[i] G- v[i] + 1 



6 Kernel Basis Computation 

Let a permutation conditioning (B,P,C,p) of A € ^n+(n+fe) given. Write 
B = [i?i|i?2] where B\ G Z”^”. Assume d = detiJi is also given. We want to 
compute a basis of the kernel of A, i.e., an G ^(n+fc)xfe tha,t C{N) = 
{v G Z"+'= I Bv = 0}. Noting that AN = 0 ii and only if BP~^N = 0 shows it 
will be sufficient to compute a kernel basis of B. 

The construction given in the next fact is classical. The bound is also easy 
to derive. See for example [12]. 
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Fact 1. Let X = B^^B 2 and let H he the trailing kxk submatrix of the Hermite 

'-XH{l/d)' 



basis of 



'Bi 


B2 




I 



Then a kernel basis for B is given by N = 



H 



Moreover, ||A^|| < (-v/nllAH)^ 



A happy feature of the basis given by Fact 1 is that it is canonical; it is the 
only basis which has trailing kxk submatrix in Hermite form. Suppose we had 
some other kernel basis N for B. Then we could construct H by transforming 
the trailing kxk block of N to Hermite form. We will use this observation in our 
construction of N . Recover X by solving the matrix system BiX = using 



linear p-adic lifting. Let M 



-X 

~dT 



e Then BM 



0. The following 



observation is well known. 



Fact 2. Let M G ifn+k)xk rank k and satisfy BM = 0. Lf G G is 

such that = £(iV^) then MG~^ is a basis for the kernel for B. 

Compute the Hermite basis of M^. Then MG~^ is a basis for the kernel 
of H. In particular dG~^ is integral and has each diagonal entry a divisor of d. 
Recover H by computing the Hermite form of of dG~^. Recovering G and H is 
accomplished using the modulo d algorithm as described in [3] or [5]. The cost 
is 0{nk"^) operations with integers bounded in length by log|d| = 0(n(logn + 
log||A||)) bits, or 0(n^fc^(logn + log ||A||)^) word operations. This also bounds 
the cost of constructing X and post-multiplying X by H{l/d). 

Proposition 4. Let a permutation conditioning {B,P,C,p) for A G 
together with the principal nxn minor of B be given. Then a kernel basis for A 
can he computed in 0(fc^n^(logn -I- log ||A||)^) word operations. 



7 Hermite Basis Computation 



Recall that I is the minimal index such that the principal {n — 1) x {n — 1) 
submatrix of the Hermite basis of A is the identity. Our result is: 

Proposition 5. Let a permutation conditioning {B,P,C,p) for A G 
together with the principal nxn minor d of B be given. Suppose k < n. Then the 
Hermite basis of A can be computed in in 0(/cn^(logn-|-log ||A||)^-|-/^n^(logn-|- 
log||A||)^) word operations. 

Proof. (Sketch) Let B be the first I rows of Bi + QB 2 . Write B as [Ri|i? 2 ] 
where Bi is {n — 1) x {n — 1). Find d = det Bi using I — 1 applications of 
Proposition 2. Let G be the recursive inverse of Bi. (Note that we get G for 
free from G.) Compute a lattice conditioning {Q, W, c) for {B, Ln+k, C,p). Then 
gcd(c,pd^) = 1. Furthermore: 



1 

\Bi 


3 

S 2 I 




* 



^n—l 




(i?l -|- B2Q) 






^^n—l 


B2 


[ Q 


Ik+l _ 




Ik+l_ 




* 
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where the transformed matrix on the right can be computed in 0{kn^{\ogn + 
log||A||)^) word operations using p-adic lifting. By an extension of Lemma 1, 
the Hermite basis of this matrix augmented with (Pi will be the Hermite basis 
of B. The basis is computed using 0{nP) operations with integers bounded in 
length by log|d| = 0(n(logn + log ||A||)) bits. 

8 System Solving 

Our result is: 

Proposition 6. Let the following (associated to an A € ) he given: 

— a permutation conditioning {B, P,C,p), 

— the principal n x n minor d of B, and 

— a lattice conditioning (Q,W,c) for (B, P,C,p) which satisfies ||Q|| = 0((logc?)^). 

Then given a column vector b G Z”+^, a minimal denominator solution to the 
system Ax = b can he computed in 0(n^(logn + log ||A||)^) word operations. 

Proof. The technique is essentially that used in [9] ; we only give the construction 
here. Write B as B = [i?i|i? 2 ] where i?i is n x n. Compute v = Bf^db and 
w = {Bi + B 2 Q)~^cb. Find s,t G Z such that sd + tc = gcd(d, c). Then 



\ I 




\ I 


71 


v + tP 


-*-n 



is a solution to Ax = b with minimal denominator. 

Note that there exists a diophantine solution to the system if and only if the 
minimal denominator is one. 



9 Massaging and Machine Word Lifting 

The algorithms in previous sections make heavy use of p-adic lifting to solve 
linear systems. For efficiency, we would like to always choose p to be a power of 
two. That is, p = 2“ where u> is the length of a word on the particular architecture 
we are using, for example to = 32, 64, 128. Then the lion’s share of computation 
will involve machine arithmetic. 

Unfortunately, the input matrix A may not have full rank modulo two, caus- 
ing the permutation conditioning described in Section 2 to fail. In this section 
we show how to transform A to a “massaged” matrix B of the same dimension 
as A but such that all leading minors of B are nonsingular modulo two. The 
massaged B can then be used as input in lieu of A. 

The construction described here is in the same spirit as the Smith form 
algorithm for integer matrices proposed by [8] and analogous to the massaging 
process used to solve a linear polynomial system described in [10]. 
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Definition 2. A massaging of A is tuple {B, P, G, C) such that: 

— G G is in Hermite form with each diagonal entry a power of two, 

— G~^A is an integer matrix of full rank modulo two, 

— G, 2“) is a permutation conditioning of A. 

Now we describe an algorithm to compute a massaging. Let A be the submatrix of 
A comprised of the first n— 1 rows. Recursively compute a massaging (P, G, B, C) 
for A. Write B = where Bi has dimension (n — 1) x (n — 1). Let 

b = [& 1 I& 2 ] be the last row of A where bi has dimension n — 1. Consider the 
over-determined linear system x [i?i|i? 2 ] = [&i|& 2 ]- This system is necessarily 
inconsistent since we assumed that A has full row rank. But for maximal t, 
we want to compute an x G {0, 1 , . . . , 2* — 1 }”“^ such that xBi = b\ mod 2*, 
xi ?2 = mod 2 *“^ and XB 2 ^ &2 mod 2 *. At the same time find an elementary 
permutation matrix E such that the first component of (62 — xB 2 )E is not 
divisible by 2*. The computation of x and E is accomplished using linear p-adic 
lifting with p = 2“; for a description of this see [2] or [9]. Set 



G = 



'G 




X 


2* 



P = P 



Iji—i 






E 



^n—1 




^n—1 




'B' 




1/2* 


— X 


1 


T 



Update the recursive inverse to produce G as described in Section 2. 

We now estimate the complexity of computing a massaging. By Hadamard’s 
bound, log 2 det G < n(log 2 \/n + log 2 1 1 A| |) which gives the worst-case bound 



|■n-br^log 2 (v^||A||)/w] = 0 (n(logn -b log ||A||)) 



on the number of lifting steps. This a worst-case factor of only 0(log n-blog 1 1 A| |) 
more lifting steps than required to compute only a permutation conditioning. 

The only quibble with massaging is that entries in B might be larger than 
entries in A. Recall that the parameter I is used to denote the smallest index 
such that the Hermite basis of A has principal {n — 1) x {n — 1) submatrix the 
identity. Then entries in the first n — I rows of B are bounded by ||A||. The 
bound 

||G-i|| < (4) 

is easy to derive. It follows that ||G“^i?|| < n{l + We remark that 

the bound (4) is pessimistic but difficult to improve substantially in the worst 
case. It is an unfortunate byproduct of the fact that the ring Z is archimedian. 
In practice, ||G“^|| is much smaller. 



10 Implementation and Execution 

All the algorithms described in the previous sections have been implemented 
in C using the GNU MP large integer package. While the implementation is 
still experimental, preliminary results are very encouraging for computing the 
determinant, kernel and Hermite form of matrices with the small k and 1. 
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We have employed this code on matrices generated during the computation 
of class groups and regulators of quadratic fields using the algorithm described 
in [7]. This algorithm uses the index-calculus approach and is based largely 
on the self-initializing quadratic-sieve integer-factorization algorithm. As in the 
factoring algorithm, the matrices generated are very sparse, with on the order 
of only 0.5% of entries nonzero. 

The kernel of the matrix is required to compute the regulator of a real 
quadratic field. In practice, only a few vectors in the kernel are sufficient for 
this purpose, so the dimension of the kernel is small. As noted earlier, the ex- 
pected number of diagonal elements of the Hermite basis which are not 1 is also 
small. The algorithms described in this paper are especially effective for this 
type of input. 



Timings 

The following table summarizes some of the execution timings on input as de- 
scribed above. Times are in hours and minutes. 



Input 


1 Timings HH:MM I 


n 


n -I- fc 


1 


% 


Massaging 


Det 


Cond 


Kernel 


Hermite 


6000 


6178 


T 


.373 


00:14 


05:50 


02:40 


- 


00:03 


6000 


6220 


T 


.460 


00:17 


06:33 


03:10 


- 


00:03 


5000 


5183 


o' 


.542 


00:09 


07:55 


00:02 


02:50 


- 


6000 


6181 


0 


.473 


00:15 


27:15 


00:04 


05:07 


- 


8600 


8908 


0 


.308 


00:38 


20:30 


00:14 


19:15 


- 


10500 


10780 


0 


.208 


01:09 


68:06 


00:15 


36:40 


- 



All computations were performed on 866Mhz Pentium III processors with 
256Mb of RAM. Machine word lifting was used. The times for the determinant 
computation represent total work done; each determinant was computed in par- 
allel on a cluster of ten such machines. 

The first two rows in the table correspond to input matrices from the com- 
putation of the class groups of two imaginary quadratic orders. In this case, 
there is no regulator and hence the kernel does not have to be computed. The 
remaining examples all arise from real quadratic fields. The Hermite basis was 
trivial for all theses examples, a fact which was immediately detected once the 
lattice determinant had been computed. The second example and the last exam- 
ple correspond to quadratic orders with 90 and 101 decimal-digit discriminants, 
respectively. These are the largest discriminants for which the class group and 
regulator have been computed to date. 

For comparison, previous methods described in [7], and run on a 550Mhz 
Pentium, required 5.2 days to compute the determinant and Hermite form of the 
6000 X 6220 matrix. The 6000 x 6181 matrix required 12.8 days of computing 
time to find the determinant, Hermite form and kernel on the same machine. 
Computation of the Hermite form of the 10500 x 10780 matrix required 12.1 
days. In this latter case, the computation of the kernel was not possible without 
the new methods described in this paper. 
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Abstract. The subgraphs Ci, C2, ..., Ck of a graph G are said to 
identify the vertices (resp. the edges) of G if the sets { j : w € Gj} (resp. 
{j '■ e G Gj}) are nonempty for all the vertices v (edges e) and no two are 
the same. We consider the problem of minimizing k when the subgraphs 
Gi are required to be cycles or closed walks. The motivation comes from 
maintaining multiprocessor systems, and we study the cases when G is 
the binary hypercube, or the two-dimensional p-ary space with respect 
to the Lee metric. 

Keywords: Identification, cycle, binary hypercube, Hamming distance, 
Lee metric, graph, multiprocessor system. 



1 Introduction 

Assume that G is a finite, undirected graph, and that each vertex (node) contains 
a processor and each edge represents a connection (dedicated communication 
link) between two processors. We wish to maintain the system, and consider the 
case in which at most one of the processors (or alternatively, at most one of 
the connecting wires between the processors) is not working. We can send test 
messages and route them through this network in any way we choose. What is 
the smallest number of messages we have to send if based on which messages 
safely come back (i.e., the idea is that the messages are routed to eventually 
reach the starting point) we can tell which vertex (resp. edge) is broken (if any)? 
See [4], [25], [24]. 

A sequence WoeiUie 2 . . . CnVn of vertices Vj in G and edges = (ui_i, Uj) in G 
is called a walk. If vq = v„, it is a closed walk. We would like to find a collection 
of closed walks Gi, G 2 , . . . , Ck that together contain all the vertices (resp. edges) 
and moreover, the sets {j : v £ Cj} (resp. {j : e £ Cj}) are all different. We 
denote the minimum cardinality k by V*(G) (resp. E*(G)). Since a walk may 

* Research supported by the Academy of Finland under grant 44002. 
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contain the same vertex and the same edge more than once, the minimum k 
remains the same even if we only require that the Cj’s are connected. 

For technical reasons ([4], [25]), we would like our closed walks to be cycles, 
i.e., closed walks VgeiVi . . . u„, n > 3, where Vi yf Vj whenever i yf j, except that 
Vo = Vn- We denote the minimum cardinality k in this second variant by V{G) 
(resp. E{G)). 

In Section 2 we assume that G is the binary hypercube , where F 2 = {0, 1}. 
Its vertices are all the binary words in F^, and edge set consists of all pairs of 
vertices connecting two binary words that are Hamming distance one apart. We 
denote by d(x, y) the Hamming distance between the vectors x, y G ¥2 and 
w(x) the number of ones in x. In Section 3 we consider the p-ary space Zp with 
respect to the Lee metric. 

The results of this paper are from [11], where more detailed proofs can be 
found. Various other identification problems have been considered, e.g., in [4], 
[16], [17], [18], [24], [25] and in [2], [3], [5], [6],[7], [8], [9], [10], [12], [13], [14], [19], 
[ 20 ], [ 21 ], [ 22 ]. 

2 Binary Hypercubes 

In this section we assume that G is the binary hypercube F 2 and denote V(G) 
and E*{G) by V(n) and E*{n). 

For arbitrary sets, we have the following trivial identification theorem: 

Theorem 1. A collection Ai, A 2 , . . . , Ak of subsets of an s-element set S is 
called identifying, if for all x G S the sets {i : x G A^} are nonempty and differ- 
ent. Given s, the smallest identifying collection of subsets consists of ]"log 2 (s+l)] 
subsets. □ 

Of course, both the vertex and edge identification problems are special cases 
of this problem, and for the binary hypercube with A: = 2" vertices we get the 
lower bound 

V{n) > [log2(2” + 1)] = n + 1. 

Theorem 2. V{n) = n + 1 for all n> 2. 

Proof. We construct n + 1 cycles all starting from the all-zero vector 0. Let Co 
be any cycle starting from 0 which visits the all-one vector 1. Given i, 1 < z < n, 
let Ci be a cycle which visits exactly once all the points whose z-th coordinate 
equals 0: this is simply an (n— l)-dimensional Gray code (see, e.g., [23, p. 155]). 

These rz -I- 1 cycles together have the required property: a point x lies in Ci 
if and only if = 0. The cycle Co guarantees that also the all-one vector lies in 
at least one cycle. □ 

Gonsider now the edge identification problem using closed walks. The number 
of edges is clearly zz2”“^, and by Theorem, 

E*{n) > [log2(n2""^ -k 1)] = n -k [log 2 rzj . 
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There is a construction [11] which uses n + [log 2 nj + 2 closed walks, and we 
therefore get the following theorem. 

Theorem 3. n + [log 2 n\ < E*{n) < n + [log 2 nj + 2. 

3 The Case G = with Respect to the Lee Metric 

In this section G is the set with respect to the Lee metric, i.e., two vertices 
{xi,X 2 , ■ • ■ , Xn) and (yi, j/ 2 > ■ • ■ > Vn) are adjacent if and only if Xj — yj = ±1 for 
a unique index j and Xi = yt for all i ^ j. 

We denote T(G), V*{G) and E*{G) by V{p,n), V*{p,n) and E*{p,n). The 
simple proof of the following theorem can be found in [1 1] . 

Theorem 4. V*{p, 1) = E*{p, 1) = [p/2] for all p> 5. 

Consider the case n = 2. The graph can be drawn as a, p x p grid (cf. Figure 
1). For each i, denote by (1, i), (2,i), • • • , (p, i) the vertices on the i-th horizontal 
row from the bottom. We operate on the coordinates modulo p. Each vertex (i,j) 
is adjacent to the four vertices (z — 1, j), (z + 1, j), {i,j — 1) and {i,j + 1). For 
instance, (l,p) and (1,1) are adjacent. 

Theorem 5. [21og2p] < V{p,2) < 2[log2(p+ 1)] + 1 for all p > 4. 

Proof. Let D be the cycle (l,p), (2,p), (2,p— 1), ..., moving alternately one 
step to the right and one step down until it circles back to (l,p); and let E 
(resp. E) be the cycle obtained from D by shifting it down by one step (resp. 
two steps); cf. Figure 1 where p = 12. 

Take k = [log 2 p] , and let A be the k x p matrix whose z-th column is the 
binary representation of z. For p = 12, we have 

/OOOOOOOOlllA 
000011110000 
001100110011 ■ 

\0 10101010101/ 

From each row Ai of A we form a cycle Bi as follows (cf. Figure 2): 

The cycle starts from the vertex (1,1) € D, and moves to (l,p) and 
(2,P). 

Assume that we currently lie in (j,p — j + 2) € D. 

— If the j-th bit of Ai is 0, then we take one step down and one step 
to the right to (j + l,p — J + 1) € D. 

— If the j-th bit of is 1, then we move up along the j-th column and 
circle round to the point (j,p — j + 1) and take one step to the right 
to (j + l,p- j + 1) G D. 
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If p is not a power of two, then there is no all 1 column in A, which implies 
that a vertex v belongs to all the cycles Bi, B 2 , . . . , -Bfc if and only if v G D. If 
p is a power of two, then we also take D itself to our collection of cycles. 

The idea is that apart from a belt D consisting of two diagonals, we can 
say that a vertex v = (x,y) belongs to Bi if and only the z-th bit in the binary 
representation of cc is 1. In other words, if we know that v ^ D, then we can 
determine x using the B-cycles. 

In a similar way, we construct k more cycles C\, C 2 , • • • , Ck for determining 
the y-coordinate of v. For all i = 1, 2, . . . , /c, the cycle Ci starts from (l,p— 2) G F 
and is built using the following rules (cf. Figure 3): 

Assume that we currently lie in (j,p — j — 1) G F. 

— If the {p — j — l)-st bit of Ai is 0, we move one step to the right and 
one down, to the vertex {j + l,p — j — 2). 

— If the {p — j — l)-st bit of Ai is I, we move to the left along the 
{p — j — l)-st row and circle round until we reach the vertex (j + 
l,p — j — 1), and move one step down to (j + l,p — j — 2). 




Fig. 3. The cycle C 2 . 



If p is a power of two, we also take F in our collection of cycles. 

We claim that the cycles Bi, B 2 , ■ ■ ■ , B^, Ci, C 2 , ■ ■ ■ , Ck and E, together 
with D and F" if p is a power of two, have the required property. Clearly, we 
have the right number of cycles. 
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All vertices are in at least one of our cycles. The idenfication of the empty 
set is therefore clear. It suffices to show that we can identify an unknown vertex 

V = (cc, y) based on the information, which of our cycles it belongs to. 

We first determine whether or not v G D, and similarly whether or not 

V G F. If neither, then the B-cycles tell us the x-coordinate and the C-cycles 

the j/-coordinate of v, and we are done. Assume that v G D. Since D and F have 
an empty intersection, we can use the C-cycles to determine the y-coordinate of 
V. There are only two vertices in D with a given y-coordinate, and exactly one 
of them belongs to E, so we can identify v. In the same way, if w G C, then the 
B-cycles tell us the a;-coordinate of v. Again the cycle E tells us, which one of 
the two remaining vertices in F with the same a;-coordinate v is. □ 

To identify the edges using closed walks, we have the following result from 

[ 11 ]. 

Theorem 6. [21og2p] -k 1 < E*{p,2) < 2[log2p] + 2. 
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Abstract. We address a decoding problem for symmetric binary-input 
memoryless channels when data are transmitted using a cyclic binary 
code and show that some algebraic methods, like Berlekamp-Massey 
algorithm, developed for cyclic codes and binary symmetric channels 
can be effectively used to solve the problem. 



1 Possible Extension of Operations in the Galois Field 



Let us consider the Galois field GF{2"^) introduced by the primitive polynomial 
^ where = En = 1 and Fi,. . . , F^-i G {0, 1}. Let a denote 
the primitive element and let 0, . . . , be the elements of the field, which 

are represented as binary column-vectors of length m. Each non-zero element 
can be uniquely expressed as a linear combination of the basis a^, 

Definition 1. Let oj denote a formal variable. Introduce the infinite set con- 
structed from the elements 0,uj^a^, . . . for all 6 > 0 in such a way that 



and 



+ 0 = 

(w'^a^)O = 0 

= 0 

) 

{io^a^y = 

jeJ j'eJ' jejj'ej' 

oj^a^ + + u)^a^ 



where i5, e > 0; j,j' G {0, . . . , m — 1}; y, y' C {0, . . . , m — 1}. 
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Example 1. Let m = 4, F{z) = 1 + z + z'^. Then 



a = a + a 






and 

io^a^ = (uj^a^) + (uj^a^) 

= (w®a°) + + (w®a^). 

Therefore 

(w®a°) + (co^a^) + (w®a^) 






2 Statement of the Decoding Problem 

Suppose that there is a discrete memoryless channel defined by the crossover 
probabilities Wx{y),x G {0, 1}, y G 3^ = {0, . . . , |3^| — 1} in a sense that 

n— 1 

lT(y|x) ^ n 
i=o 

is the conditional probability to receive the vector y = (j/o, • ■ • , 2/n-i) G 3^" 
when the vector x = (xq, . . . ,Xn-i) G {0, 1}” was sent. We will assume that the 
channel is symmetric, i.e., 

Vb'o(y) = f^i(|3^|-l-2/), for all yG 3^. (1) 

Let a linear block code C having length n be used for data transmission. 
Suppose also that the decoder has to construct a codeword having the smallest 
distortion defined as 

n— 1 

<5(x,y) = '^5{xj,Vj) 

j=0 

where S{x,y) > 0, a; G {0, 1}, y £ y, are given by the 2 x |3^| distortion matrix. 
We will assume that the y-th column of this matrix has exactly one positive 
entry and denote it by 6{y) for all y G y. For example, if 3^ = {0, 1, 2, 3}, then 
the distortion matrix can be specified as 



■<5(0,0) . 


.5(0,3)' 




0 0 5(2) 5(3)' 




'0 0 14' 


<5(1,0) . 


.5(1,3)_ 




5(0) 5(1) 0 0 




4 10 0 



y-i = 



Given y G 3^", let 



0. 1f <5(0,y,) = 0 

1, if S{l,yj) = 0 



(3) 
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Then, as it is easy to see, 



<5(x,y)= 

jej{x,y*) 

where 

= [j G {0,...,n- 1} : Xj ^ y* (5) 

Constructing of the vector y* corresponds to quantization of the components 
of the received vector y. However, the maximum likelihood decoding algorithm 
applied to the vector y* does not find the codeword minimizing the distortion 
for y in general case. 

Example 2. Suppose that C is the (15,7) BCH code generated by the polynomial 
g{z) = 1 + and having the parity check matrix 

'lOOOlOOllOlOlll' 

OlOOllOlOllllOO 

OOlOOllOlOllllO 

OOOlOOllOlOllll 

lOOOllOOOllOOOl 

OOOllOOOllOOOll 

OOlOlOOlOlOOlOl 

OllllOllllOllll 



Note that the code contains the all-zero codeword 0 and the codeword x* having 
components 

*_ Jo, if {0,1,2,9,13} 

\ 1, if jG {0,1,2,9,13}. 

Let y = {0, 1, 2, 3} and let the distortion matrix be defined by (2). If 



r 0,if {0,1, 2, 9, 13} 

I l,if jG {0,1,2} 

1 2, if j = 9 
[ 3, if j = 13 



(8) 



and the decoder uses the maximum likelihood algorithm for the vector y*, then 
the all-zero codeword is decoded. However, 



' 5 ( 0 , y) = ' 5 ( 2 / 9 ) + 5(2/13) = 5 
5 (x*,y) = 5(2/0) + 5(2/1) + 5(2/2) = 3 . 



3 Possible Algebraic Approach to the Decoding Problem 

Lemma. Given a vector y G 3^", let 

(5o, . . . , 5„_i) = (5(2/0), . • . , 5(2 /„-i)) 
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and let 



= for all J C {Q, . . . ,n - 1}. 



If a* is the root of the generator polynomial of the code C, then 






for all X G C, where the set J7(x,y*) is defined in (5). 
Proof : Let (3 = a*. Since x =i ~ obtain 



j-.Xj = l 3'-Xj = 

= (i: 



r-xj=i 



(E 

iX 



r-xj=i 



= ^ [{X^f}^) + {Xf}i)]= ^0 = 0. 



Therefore 



i:y*=i i:y*=i r-xj=i 

= ( ^ + [ Y + 

j-.Xj=y‘ = l 

= ( ^ ( 3 ^) + ( ^ o) = E 



r- Xj^y* 



r-Xj=y* = l r-Xj^y* 



and (10) follows. 

Let us fix X G C, and denote 

J = JXy*), L=\J\ 



Lx 

fj{oj,z) = n (“°+ 



where 



fo,jX = o° 
fi.jX = E 

jeJ 

h,j{oj) = E ' 

31^32 



Qi^ji+h 



fL,j{oj) = Q^j^J 
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It can be easily checked that the introduction of the parameter w and the arith- 
metic rules given in Definition 1 do not change the equations for the binary 
symmetric channels that follow from the Newton’s identities [1], 



1^1 



0, if i is even 

ai^j{uj), if i is odd 



for alH = 1, . . . , L — 1 and 

L 

for alH = L -I- 1, . . . , n — 1. 

For example, if the parity check matrix of the code is defined in (6), then 

'^{0,1,2} (w, z) = (^Q;° -I- -I- 

= a^+ z + 

' 7 { 9 , 13 }(‘^, z) = + (uj^^a^)z^ (a° + 

= Qf° -b -b -b (u}^a'^^z‘^. 

Suppose that components of the received vector are defined by (8). Then the 
vector y* has I’s only at positions 9,13, and 

S'*,{9.i3}(t^|y) = i = 0, 1, . . . 

Thus, 



>5'i,{9,13}(w y) 




-b 


>5'2,{9,13}(w y) 




-b 


>5'3,{9,13}(w y) 




-b 


_-5'4.{9,13}(w|y)_ 







Since a^,. . . ,a^ are roots of the generator polynomial, these functions satisfy 
(10) for any codeword x. 

To describe a variant of the known Berlekamp-Massey algorithm [1] for 
searching for the coefficients fi^j(oS) we need inversions of the descripancies, 
which are functions of u). 

Definition 2. Let K >1 and let the functions 

K K 

D{ui) = D'{uj) = 

k=l k=l 

be given in such a way that ik > i'j^ for all k = 1, K. Introduce the function 

K 

(Di(u;) :Do(u;)) 
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where 

K 

Pk = C(^*‘ 1^ 

k=l 



The algorithm is given below. 

1. Set i = 1, h = 0, = uPoP ^ and (L, /(w, z)) = (A, ip{uj, z)) = (0, 

2. Increase hhy 1 and set 



Di{uj) = S'i(a;|y) + /i(w)S'i_i(w|y) + . . . + fL{u})Si-L{to\y) 



hi = h 

{Xi,ipPui,z)) = {\,if{u},z)) 

{ iL,f{u,z)), 



{Li, Miv, z)) - I ^ ^ 



where 



/'(w, z) = f{u, 2 ) + ( A(w) : D{{uj 



if A(w) = 0 
, if A(w) p 0 

)^z^ip{cv,z). 



3. If Li > L, then set (A, ip{u}, z)) = {L, f{uj, z)), D{{oj) = Di{uj), and h = 0. 

4. Set {L,f{{uj,z)) = (Li,f,{u},z)). 

5. If z < t, where we assume that a^, . . . ,a* are roots of the generator polyno- 
mial of the code, then increase z by 1 and go to 2. 

6. End. 



If (S'i(i^)) ■ • ■ , are defined by the matrix on the right-hand side of (II), 

then the current results of the algorithm are as follows. 



z = 0 : 



Dq(uj) = uj^a° 
fo{uj,z) = w°a° 

(po{u),z) = w°a° 

1 : 

Di{uj) = -I- 

: D[{u}) ^ = (wA®) -I- {uj'^a^^) 

fi{uj,z) = a° -k ((wA®) -k {uj'^a^^)^z 
(pi{uj,z) = a° 

2 : 

D2{co) = {uj'^a^) -k -k -k [{oj^a^) -k 

= 0 

f2{ui, z) = + (^ (w^a®) + 

ip2{u>,z) = a° 
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1 = 3: 

= (w®Qf^) + (w®a®) 

L>3(w) : D'^{uj) ^ = oj^{a^ + a^){a^ + 

= u;V 

/3(w, z) = Qf° + ^ ^ z + (w^o;’^)z^ 

ipz{uj, z) = Qf° + ^ (w^a®) + ^ z 

f = 4 : 

I?4(w) = (w"^a®) + + ^(w^a®) + + (w^®a®)^ 

= 0 

/4(w, z) = a® + ^ (w^a®) + ^ + (w®a’^)z® 

ipi{uj, z) = a® + ^ (w^Qf®) + (w^a^®) ^ z 

Thus, the algorithm sequentially constructs the polynomials 
/(o)(w,z) = a® 

f^^\u,z) = a® + ^(w^a®) + (w‘*a^®)^z 

/(®)(w,z) = a®+ ((wia®) + (wV®))z+ (u;®a^)z®. 

As a result, we know that decoding of the vector y* leads to a codeword having 
the distortion 5 relative to the received vector y. The same conclusion could 
be received if we run the conventional Berlekamp-Massey procedure, construct 
the polynomial /(®^(l,z), find its roots, o;“®,a“^®, and compute 5g + <5i3. The 
introduction of the “distortion enumerator” in the definition of the syndrome 
also allows us to simplify searching for roots (this is not a difficult problem for 
our example, but we discuss these points in a more general context) : we know 
that the total number of roots is 2 and that the total distortion is 5; hence, one 
of the roots, , is such that j\ belongs to the set of positions where y has 
symbols 1 or 2, and another root, is such that jg belongs to the set of 

positions where y has symbols 0 or 3. Furthermore, we know that 3 components, 
j(, J 2 ) Js: of the vector y* should be corrected only if there <5^/ + <5^/ + 5^/ < 5, 
which means that all these components belong to the set of positions where y 
has symbols 1 or 2. We also know that must be roots of the 

polynomial 

z) + z)oP ^ = a® + a^®z + (a® + a”^)z® + a^®^-^z® 
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for some j G {0, . . . , 14}. The solution in this case is j[ = 0, j '2 = Ij J 3 = 2 and 
J = 8. 

The basic idea of the approach described above is the note that the known 
computations with syndromes are also possible when we simultaneously process 
the current distortions of the codewords. This possibility can be useful for alge- 
braic soft decision decoding. We tried to demonstrate them for the Berlekamp- 
Massey algorithm. 
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Abstract. Any vector with components in a Galois ring R = GRijf^ , n) 
has a unique p— adic representation, given a tranversal on the cosets of 
(p) in R. We exploit this representation to lift a decoding algorithm for 
an associated code over the residue field of i? to a decoding scheme for the 
original code. The lifted algorithm involves n consecutive applications of 
the given procedure. We apply these techniques to the decoding of an 
alternant code over a Galois ring. 



1 Introduction 

The notion of lifting a decoding scheme for a linear code over Zp to a decoding 
scheme for a code over Zpn was introduced in [10], where the authors considered 
the class of Zpn — splitting codes, which are free as Zpn— modules. 

In what follows we present techniques for lifting a given decoding algorithm 
for a linear code of length JV over a finite field to a decoding scheme for a linear 
code of length N over a Galois ring. Specifically, if H is a parity check matrix 
for a code C, defined over a Galois ring of characteristic p", and C is the code 
with parity check matrix H, where H is the image of H modulo p, then we 
construct a decoding scheme for C by lifting an algorithm for C. The lifted 
algorithm involves n consecutive applications of the decoding procedure for C 
and depends upon the existence of a unique representation of an error vector in 
the form e° + pe^ + • • • + p"“^e"“^. We also place a constraint on the type of 
error that can be corrected by such an algorithm, in particular, we require that 
for each i G {0, ..., n — 1}, the modulo p image of e* be correctable with respect 
to the algorithm for C. We implement this technique to derive decoding schemes 
for alternant codes over Galois rings by lifting decoding schemes for both the 
Hamming and the Lee distance. 

We introduce some notation and definitions. Assume throughout that all 
rings R and T are finite, local, commutative, rings with unity. Let R have unique 
maximal ideal (p) for some prime p. The polynomial / G R[x] is called basic 
irreducible if it is irreducible modulo p. We construct a Galois ring as a quotient 
ring of Zpn [x] in the following way. 

Definition 1. Let p be a prime number and let m,n be positive integers. Let 
f G Zpn [x] be a monic basic irreducible polynomial of degree m. The quotient 
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ring Zpn[x]/(/), denoted GR{p™ ,n), is called the Galois ring of order and 
characteristic p” . 



The reader is referred to [11] and [13] for a review of the theory of Galois 
rings. The integers p, m and n determine uniquely, up to isomorphism, the Galois 
ring GR{p™,n). If i? is a Galois ring we let ku denote its unique residue field 
and R* its multiplicative group of units. For the remainder, let the symbol R 
denote the Galois ring GR{p"^, n) and let p be the natural epimorphism from R 
onto ha, defined hy pa = a + (p) for each a € R. Let T be a transversal on the 
cosets of (p) in R, so that if v,p € T then — p G (p) if and only if v = p. An 

n—1 

arbitrary element 6 € R can be represented uniquely by the sum 9 = P^9j, 

3=0 

where 9j G T for each j G 0, ..., n—1, which we call the p—adic representation of 
9 for an arbitrary fixed transversal R. For a given 9 G R, the element 9j (or (9)j 
if parentheses are required to avoid ambiguity) is the uniquely determined 
component of 9 in T. We can extend this notation for vectors in R^ . Let v G R^ , 
then V has the unique p—adic representation v = v°+pv^ + - • .+p"~iv"“^ where 
each V® has components in T. We denote by the symbol the truncation of 
this sum modulo p®“''^, so = v° + pv^ + • • • + p®v®. For R = Zpn, the Lee 
distance, is defined as follows. Given 9 G Z^n, the Lee value of 9, denoted \9\l, 
is defined by 



\0\l= { 



9 if 0<9<^ 

p®® - 6» if 2^ < 6» < p®® - 1 



where the symbol representing 9 is an element of {0, ...,p®® — 1}. 



Definition 2. Let N he a positive integer and let u,v he arbitrary vectors in 
Zp„. The Lee distance, denoted di,(u,v), is defined hy 



N 

dL{u,v) = J2\Uj-Vj\L, 
1=1 



evaluated over the integers. We denote hy wti(u) the Lee weight of a vector 
u G Zpn, where wti,(u) = di,(u,0). 

Given an arbitrary vector v G Z^n we denote by v+ = [u[]’, ...,u)^_]^] and v“ = 
[V(]", ...,u)^_]^] the vectors in Z^ defined by 



{ 



if Vj = \vj\l , 

0 otherwise ^ 



Vj ifp^-Vj = \vj\l 
0 otherwise 



which gives the decomposition v = v'*' — v“. 

Grobner bases are structures which provide powerful tools for the study of 
multivariate polynomial ideals. The particular algorithms given in subsequent 
sections are devised as lifts of decoding algorithms which use Grobner bases 
techniques. We mention any relevant details of the theory in its application to 
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decoding alternant codes. The interested reader is referred to [2], [3], [6], [7] and 
[8] for a review of the general theory of Grobner bases. 

Consider the module R[x]'^. A term in R[xY is an element of the form 
(xbO) or (0,x-^) for some integers i,j > 0. A monomial in R[xY is a non-zero 
constant multiple of a term in R[xY. A term X is divisible by a term Y if there 
exists a nonnegative integer £ such that X = x^Y. 

Definition 3. A term order < on R[xY is defined by the following properties. 

(i) < is a linear order on the set of terms of R[x]^ 

(ii) if X,Y are terms in R[xY' such that X < Y, then x^X < x^Y for any 
nonnegative integer £ 

(iii) every strictly descending sequence of terms in R[xY terminates 
We define a term order for each integer £ as follows. 

(i) (a;*S0) <t (a;*^,0) if and only if A < and (0,x^^) <i if and only if 

Ji < 32 

(ii) (a;*, 0) (0, x^) if and only \ii + £ < j 

Let (a, b) € The leading term of (a, b), denoted lt(a, b), is identified as the 

greatest term occurring in an expansion of (a, b) as an i?— linear combination 
of terms. The coefficient attached to lt(a, 5) is the leading coefficient of (a,b) 
and is denoted by lc(a, b). The leading monomial of (a, b) is given by lm(a, b) = 
lc(a, 6)lt(o, b). 

Definition 4. Let A be an R[x]— submodule of R[x]'^. A set Q = ^ 

A of non-zero elements is called a Grobner basis of A if, for each (a, b) € A, 
there exists an i & {!,...,£} such that lm(a, b) is divisible by lm(^i, hi). 

Note that, given an arbitrary term order <, every Grobner basis ^ of A must 
contain an element with minimal leading term in A, otherwise some element 
in the module would have leading monomial divisible by none of the leading 
monomials of elements in Q. The algorithms discussed in Sections 3 and 4 involve 
finding a minimal element of a module by generating a Grobner basis. 



2 The General Decoding Scheme 

Let T be a subring of R and let C be the T— linear code of length N defined by 

C = {c G : He = 0} 

for some r x N parity check matrix H with symbols in R and let d be a metric 
on . Let c G C be a transmitted codeword and v G the corresponding 
received word. We assume that v = c -|- e for some error vector e G of 
minimal weight in e -|- G. We denote by C the /ct— linear code defined by 
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where /xH = H. Note that C = fiC if and only if C is splitting. Let d be a metric 
on fcy and suppose there exists a decoding algorithm (A, d) for the code C, which 
determines an error vector e' G of minimal weight given a received word v' G 
. Explicitly, we suppose that {A, d) recovers e' G k^ where Hv^ = H(c^+e') = 
He^ = s' for some codeword c' G C. Let T be a transversal on the cosets of (p) 
in R. Express e G uniquely in the form e = e° +pe^ + • — where 
ej G T for all i G {0,...,n — 1} and j G {0,...,fV — 1}. Suppose that pe® has 
minimal weight in /xe® + C for each i G {0, n — 1}. Then 

Hv = H(c + e) = He = s 



= He‘' 
= sM - 



pHe^ 
«[i] i 



- ps 



•••+p®®-iHe 

+ pn-ls[n-l] 

,pn-ls"-l 



n—1 



where s^®! = He® for each i G {0, ..,n— 1}. Note that given any j G {0, 1}, 

the element (He®)j may not be contained in T, so the vectors sW and s® may be 
distinct. Applying the natural epimorphism to the above yields 

ps° = ps = Hpv = H(pc + pe) = Hpe = Hpe°. 

By hypothesis, we may implement the scheme (A,d) to recover pe*^, of minimal 
weight in pe° + C, from the syndrome ps° and hence determine e^, the unique 
preimage with components in T, of the vector pe*^. 

We continue iteratively, solving for each e® in turn, to extend the decoding 
scheme (A, d) to a scheme (A, d, d) for C. At the step let v^^®^ = v— e^®“^\ 

then 

s{®} = Hv^®> = H(v - = H(e - 

= p®He® + ---+p"-iHe®®-i 
^-is[®®“d 

-p"-i(s{®>)®®-^ 

It follows that s^®5^ G (p®) and (s^®^^)^ = 0 for each j G {0, ...,i — 1}. Thus 

p®((s{®>)®-s[®l) G (p®+i) 

and hence 

Hpe® = ps[®l = p(s{®>)®. 

We invoke (A,d) to p(s^®^)® to recover pe® and hence the vector e*^®) = e^®”^) + 
p®e®. After the iteration the error vector e is determined and the received 
word V is decoded to c = v — e. We summarize these results in the following 
theorem. 

Theorem 1. Let C he a R— linear code of length N . Suppose that for some 
distance function d on k^ there exists a decoding scheme (A, d) for C which 
corrects any error pattern e' G k^ of minimal weight in e'+C. Then the decoding 
scheme (A, d) can he lifted to a decoding scheme (A, d, d) for C which corrects 
any error pattern e G R^ satisfying 



= p s'- ‘ + ■ ■ ■ + p'“ 

= (sW)°+p(s^®>)^ + •• 
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(i) e has minimal weight in e + C 

(ii) /xe* has minimal weight in /xe* + C for each i € {0, n — 1}. 

With T, i?, C, C, d and d as before, let wt(u) = d(u, 0) and wt(v) = d(v, 0) 
for each u G and v G . Let 

,Bt(u,d) = {w G : d(u, w) < t} 

denote the sphere of radius t about u, with respect to d, and let 

Bt{u, d) = {w G : d(^u*, ^w*) < t,i G {0, n — 1}}. 

Now let C and C have minimum distances d and d for the distance functions 
d and d, respectively. Let t = and let i = Suppose there exists a 

decoding algorithm {A, d, t) for C which corrects any error pattern of weight at 
most t in . Then by Theorem 1, we can lift (xl,d, t) to construct a decoding 
algorithm {A, d, t, t), which corrects any error pattern e in satisfying wt(e) < 
t and wt(/xe*) < i, for each i G {0, n — 1}. So if v is a received word in T^, we 
can implement the lifted algorithm {A, d, t, t) to decode v to a unique codeword 
c, provided that v G Bt{c,d) n,Bt(c,d). 

Suppose that v G ,Bt(ci,d) n,Bt(c2,d) for codewords Ci and C2 in C. Then 

V = Ci+ei = C2+e2 for some error vectors ei and 02 in satisfying wt(/xe5^) < 
i and wt(/xe2) < t for each i G {0, ..,n — 1}. Then s = Hv = Hei= He2 and 
/xs = H/xei= H/X62. Since the algorithm (7l,d,t) computes a unique error pat- 
tern of weight at most i, then /xei = /xe2 and hence = e^. Repeated ap- 

(i) (i) 

plications of the argument show that ei = 02, indeed if for each 

j G {0, X — 1} then 

H(v-ef-')) = H(v-e(*-')), 

so that and, since wt(^ep < t for j G {1,2}, we deduce that 

/xe^*^ = /xe2*^ At the iteration we find that ei = 02. Thus the Bt{c,d) are 
disjoint for distinct c G C. 

Definition 5. Let d be a metric on k^. We denote by dmax the metric on 
induced by d and defined by 

dmax(u, v) = max{d(/xu*, : x G (0, ..., n - 1}}. 

Given an integer £, dmax(u,v) < ^ if and only if d(/xu*,/xv*) < £ for each x G 
{0, ..., XX — 1}, so that Be{u, d) = dmax)- Then we decode a received word 

V G to a unique codeword c G C if v G Bt{c, dmax) and hence a bounded- 
distance decoder for C can be lifted to a bounded-distance decoder for C. We 
have now proved the following result. 

Theorem 2. Let C be an R— linear code of length N . Suppose that for some 
distance function d on k^ there exists a decoding scheme (A, d, t) for C which 
corrects any error vector e'€k^ such that wt(e') < t. Then the decoding scheme 
(A, d,t) can be lifted to a decoding scheme (A, dmax A) for C which corrects any 
error pattern e G R^ satisfying wtmax(e) < t. 
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Remark 1. Let C be an i?— linear code of length N and minimum Hamming 
distance d. Suppose the code C has minimum Hamming distance d < d and let 
t = Then the spheres yBt(c,d//max) are disjoint for distinct c G C and, 

since for each i G {0, ...,n — 1} wt//(^v*) < wt//(v) for any v G , it follows 
that BtiCjdn) C Bt{c,dHmax) for each c G C. 

Suppose now that (7 is a Z^n —linear code with minimum Lee distance d and 
that the Zp— linear code C has minimum Lee distance d. Let t = and 

let 9 G Zpn. It is not hard to see that \fi6i\L < \9\l for each i G {0, ...,n — 1} 
and hence for any v G Z^, wti(/rv*)/, < wti(v) for each i G {0, ...,n — 1}. In 
particular, if v G Z^ and t = then again the spheres Bt{c,dLmax) are 

disjoint for distinct c G C and Bt{c,dL) C yBt(c,dimax) for all c G C. 

Thus any bounded-distance decoding algorithms (H,t,d_f/) and (H, t,di) for 
C can be lifted to bounded-distance decoding schemes (H,t, d//) and (A,t,dL), 
respectively, for C. 



3 Decoding Alternant Codes for the Hamming Distance 

We implement the scheme outlined in Section 2, applying Theorem 1 to construct 
a decoding scheme for an alternant code defined over a Galois ring, by lifting a 
decoding algorithm for an alternant code defined over the corresponding residue 
field. Both the given algorithm and the lifted version are implemented with 
respect to the Hamming distance, and both decoding algorithms are bounded- 
distance. 

Definition 6. Let R and T be the Galois rings GR{p"^,n) and GR(p^ ,n), 
respectively, where m! divides m. Let N he a nonnegative integer less than p^. 
We define C{N,r,a,j,T), the alternant code of length N with symbols in T, by 
the parity check matrix 



H{N,r,a,-f,T) 



7o 7i iN-i 

7o«o 7iQ^i iN-iCKN-i 



7o«S ^ 7iai ^ 7iv-iaw-i 



where 7 = [70, ...,7at-i] has its components in R* and the locator vector, a = 
[ooj •••j ttAT-i] G R^ ) satisfies ai — aj G R* for all distinct i and j in {0, ..., N— 1} 

Let C be the code C{N, r, a, 7, T), defined as above, with parity check matrix 
H = H{N, r, a, 7, T). Let t = [|J . The code C has minimum Hamming distance 
greater than r and corrects all error patterns of Hamming weight at most t (see, 
for example, [1] or [12]). Then C = C{N,r,d,j,kT), where pa = d and pj = 7, 
and C is also a t— Hamming error correcting code. 

Consider the following decoding algorithm (H, t,d//) for C, described in [8], 
which computes an error vector e of Hamming weight at most t, given a received 
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word V = c + e for some codeword c G C. Let J = {j & {0, — 1} : ^ 0}. 

Determining the error locations fL amounts to solving the key equation 

SS=nmodx^ ( 1 ) 

where S is the syndrome polynomial associated with s = Hv, the error locator 
polynomial is if = Jl (1 ~ djx) and 17 = ^ ej^j H (1 ~ dkx) is the error 
jeJ jej kej,k^j 

evaluator polynomial. It has been shown that the required solution (E, 17) has 
minimal leading term under <_i of the elements in the module 

M = {(a, b) G kn[x]'^ : aS = b mod x^} 

of all solutions to the key equation (1). In particular, a unit multiple of (E, 17) is 
contained in any Grobner basis of M under this term order. Given S, computa- 
tion of the appropriate basis may be performed by invoking any of the algorithms 
established in [ 8 ]. Then the coefficients of e may be computed using a method 
such as a Forney procedure [9], adapted in the obvious way for an alternant code. 

Now let V G be a received word with corresponding error vector e G 
satisfying wt//(e) < t. Then for each i G {0, .., n — 1}, 

wt//(^e*) = wt//(e*) < wt//(e) < t 

and we define Ji = {j G {0, ..., iV — 1} : e) yf 0}, an error locator polynomial 

r— 1 

LfW = n (l—aj-a;), an syndrome polynomial S'!*! = ^ ^ and an 

jeji k=oj^ji 

key equation rials’!*! = 17^ moda;^ where 17^ = X) e^jlj 11 (1 “ oikx). 

jeji keji,k^j 

Following the scheme presented in Section 2, at the z*^ iteration we assume that 
e(*“i) is known and set = v — Then H/ze® = /ist®l = where 

for each j, k G {0, ..,n— 1}, s^-^l = He-’ and Gonsider the equation 

/zL'M/zS'l®] = modx\ 

Since wt/z(^e®) < t, we may apply the algorithm (A,t,dH) to H and /z(s^®^)®. 
The z’’® required solution (/zT'W , ^I7l®l) is the unique (up to multiplication by a 
unit) element of the module 

M^®] = {(«,&) G kn[xy : a/zS'f®] = 6 modx’’} 

with minimal leading term with respect to the term order <_i and hence is 
contained in a Grobner basis of Afl®!. Having found /ze®, the vector e*^®^ = e(®“’^)-|- 
p®e® is uniquely determined. After the zz*’® step the error vector is recovered. 

Example 1. Let R = GR{3^,3) ~ 227 )^] where ^ is a root of / = — 5x — 

1 mod 27 and let T = {0,1,^,...,^'"}. Let C = C( 8 , 4, a, 7 , Z 27 ) and H = 
77(8,4, 0 , 7 , Z 27 ) where a = [1, and 7 = -k 3, 2, 6 ^ -k 1, 1, 9^ -k 

1, 18^ -k 2, 1]. Then H = 77(8, 4, d, 7 , Z3) and both C and C are double-error 
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correcting codes. Let c be a transmitted codeword, v the received word and 
let e = v — c = [0,1,0,0,0,18,0,0] be the error vector. Then = fj,S = 

2 + 2^x + and, invoking an analogue of the Euclidean Algorithm 

as outlined in [8], we generate a Grobner basis for from the generating set 
{(1,^5'), (0,x'‘)}. 



{ai,bi) 


(a2,fo) 


g 


(0,x^) 


a,dS) 


^x 


(l,p5) 


{^^X, ^X + 5^X^ + ^^x^) 




{^^x, Xx + ^^x^ + £,^xA 


(Ca: + 1,0 





The element + 1,^) has minimal leading term in and the polynomial 
^^a;+l has the root G ? whose inverse is ^ and corresponds to an error occurring at 
fiCi- We compute the error magnitude /xe? = 1 so /xe° = [0, 1, 0, 0, 0, 0, 0, 0] = e°. 
Then = 18^+ (9 + 18^)a;+ (9^ + 9)x^ + 18a;^ = 9(^® + = 

9(5'^^^)^ and H/xe^ = = 0 , so that /xe^ = = 0 . Continuing, 

we find = /x(5'^^^)^ = + ^^x + and, as before, we compute 

a Grobner basis of 



(ai,bi) 


(a2,fo) 


g 


(0,x4) 




X^x 


(l,pS'fo) 


(x, ^^x + ^^x^ + 


e 


(x, ^^x + ^^x^ + 







The element with minimal leading term is (^x + 1,^), and the inverse of the 
root of the polynomial fx+ 1 is indicating that an error has occurred at /xe^. 
Computing the error magnitude, we find that = [0, 0, 0, 0, 0, 2, 0, 0] = e^. The 
actual error vector is determined to be e = e° + 3e^ + 9e^ = [0,1,0,0,0,18,0,0]. 

4 Lifting a Decoder for Lee Metric Alternant Codes 

We consider the class of alternant codes C{N,r,a,Zpn) = C{N,r,a,l,Zp<i) 
where 1 = [1,1,...,!]. We apply Theorem 2 to lift a decoding algorithm (A, t,dx,) 
for C{N ,r,a,Zp) to a decoder (A,t,dimax) for C{N,r,a,Zpn), where /xa = a. 
Let 0 < r < p, let C{N, r, a, Z^n) have minimum Lee distance d. If n > 1 then 
d>2r [5] . If n = 1 then 



r 2rif0<r< 

“ p if < X < p — 1 



[14, Theorem 1]. Decoding schemes for C{N, r, a, Zp) have been given in [5] and 
[14]. We outline an algorithm, (A,t,dL), which corrects all errors of Lee weight 
at most t where 



r r — lif0<r< 
t - X 
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We introduce notation as defined in [14]. Let c G C{N, r, a, Z^) be a transmitted 
codeword and let v be the received word with associated error vector e = v — c, 
satisfying wti(e) < t. The vectors e+ and e“ are called the positive and negative 

N-l 

error vectors. The syndrome values are defined by S'^ = ^ for each £ > 0, 

i=o 

N-l ^ N-l 

= n (f ~ ajxY^ and S~ =0(1“ are the positive and negative 

i=o j=o 

error locator polynomials and the error-locator ratio p = G -^[[ 2 ^]] satisfies 

i-i 

Sj + ^ ^ PiSj—i j pj = 0 (2) 

for each j > 1 [14]. Let <P be the unique polynomial of degree less than r such 
that <P = p mod x^. Clearly S~<P = 27+ mod x'^, which gives a key equation. Let 
M be the module of all solutions to the key equation. From [8, Theorem 3.2] 
the element (27“, 27+) has minimal leading term in M with respect to the term 
order <£,, where D = 927+ — 927“ and 

r _ ^0 if 0 < t 
f S'o— pifp — t<5'o<_p— 1 

[14, Theorem 7]. Since r < p, for each fG{l,...,r— 1} Equation 2 can be solved 
iteratively for unique = Pi, where we initialise the sequence by setting ^0 = 1- 
Once (p has been determined, we compute a Grobner basis of M, again applying 
algorithms given in [8]. For each j G {0, ..., N — 1}, the error magnitudes e+ and 
e“ correspond to the multiplicity of the linear factor x — aj in 27+ and 27“ , 
respectively, and may be determined by adopting a modified Chien search [14]. 
The lifted version of this algorithm proceeds as follows. Let C = C{N, r, a, Z^n) 
and suppose the codeword c G C is sent and v = c -|- e is received, where 
wti(/ie*) < t for each i G {0, ...,n — 1}. At the iteration assume that 
is known and set = v — Then H(/ie*)+ = (/isW)+ = (/x(sf*f)*)+ and 

H(/xe*)“ = (/isW)“ = (^(sf*f)®)“. We associate with the positive (negative) 
error vector, (e*)+ ((e*)“), an z*^ positive (negative) error locator polynomial, 

N-l _ N-l 

(27W)+ = J][ (1 — djx)^^cd ((27^)“= ][][ (1 — ) in fc/j[x] and an z*^ 

j=o j=o 

key equation (A'[^l)“^[^l = (^[^l)+moda:’’. Let I?!*! = 9(AW)+ — 9(^I*1)“ and let 
MW be the z*^ solution module. Then the z*^ required solution ((27W) + , (A'[*l)“) 
has minimal leading term in with respect to the term order <£>[»] and hence 
is contained in a Grobner basis of TVfl*!. We find the polynomial and then 
compute the required basis. Once /ze* is known, we can determine the vector 
e(d = -I- 

Example 2. Let R=Z 4 g, and let a= [1, 19, 18,48, 30, 31]. Let C = G(6, 3, a, Z^q) 
so that C = C{6, 3, a, Zy) and both C and C have minimum Lee distance at least 
6. Suppose the all-zero codeword is sent, and the error pattern e = [1,0,0, 8, 0, 42] 
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is received. Let T = {0, 1, 6}. Then e = [1, 0, 0, 1, 0, 0] + 7[0, 0, 0, 1, 0, 6] with 
respect to T and = 2 for i = 0, 1. We perform two consecutive imple- 

mentations of an algorithm {A,2,d,L) for C. Now /is = H/ie=[2,0,2] so that 
= fiS = 2x^, and = 2. We solve for ^ = 1 -|- Then 
{(1,1 -I- 6x^), (0, a;^)} is a Grobner basis of with respect to the term or- 
der < 2 - The minimal element is (1,1 -I- 6a;^) and the polynomial 1 -I- has 
roots 6 = 5^ and 1, with corresponding inverses 5^ and 1, indicating that 
(/ie°)+ = [1, 0, 0, 1, 0, 0] and (^e°)“ = 0 , so = [1, 0, 0, 1, 0, 0]. Then = 
H(/xv— ^e°) = [0, 3, 6], /xS'q^^ = 0, = 3x-|-6x^, and = 0. The polynomial 

^[1] is given by 1 -I- 4a; -I- 5a;^ and we compute {(2a;, 2a; -I- a;^), (2 -|- a;, 2 -|- 2a;)}, a 
Grobner basis of with respect to <o- Then ((ifl^l)”, (Z'[^l)+) = (2-l-a;, 2-|-2a;) 
and the inverses of the roots of and (i7[^l)+ are given by 3 = 5® 

and 6 = 5^. It follows that (^e^)+ = [0, 0, 0, 1, 0, 0], (/ae^)“ = [0, 0, 0, 0, 0, 1] 
and thus /ae^ = [0, 0, 0, 1, 0, 6]. The error vector is then calculated as e = 
[l,0,0,l,0,0]-h7[0,0,0,l,0,6] = [1,0,0,8,0,42], 
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Abstract. First, top-down RMLD (recursive maximum likelihood de- 
coding) algorithms are reviewed. Then, in connection with adjacent sub- 
codewords, a concept of conditional syndrome is introduced. Based on 
this, sufficient conditions of most likely local sub-codewords in top-down 
RMLD algorithms are presented. These conditions lead to efficient im- 
plementations of top-down RMLD algorithms. 



1 Introduction 

For i < j, [z, j] denotes the set of integers from i to j, called a section. For a pos- 
itive integer n, V” denotes the set of binary n-tuples. For u = (ui,U2, . . . ,Un) € 
V" and a subset I = {zi, *2; • ■ • > *m} of [l,n], pju = {un,Ui2, ■ ■ ■ ,Uim)- For 
U C V^,piU = {piu : u £ U} and Uj = pi{u G U : sup(t6) C /}, where 
sup(m) denotes the support of u. For a matrix M with n columns, pjM denotes 
the submatrix of M consisting of the zi-th, the Z2-th,. . ., the Zm-th columns in 
this order. 

We assume that a binary {N, K) linear block code C is used over an AWGN 
channel with BPSK signaling and each codeword is equally transmitted. For a 
received sequence r = (ri, r2, . . . , r^r), let 2: = {zi, Z2, ■ ■ ■ , zn) denote the binary 
hard-decision sequence for r. For / C [1, N] and u £ p/V^, define 

Mu) = |d|- (1) 

{iel : 

L{u) is called the correlation discrepancy of u. By definition, L{u) >L{z) = 0 . 
For U C pjV^ , define L[U] = miiiueu L{u) and for u £ U such that L{u) = 
L[U], we write u = v[U] and call it the best (or the most likely) in U. For 
convenience, define L[0] = 00 for the empty set 0. For the most likely codeword 
cml of C, cml = v[C], 
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We briefly review RMLD (recursive maximum likelihood decoding [1]) and 
introduce top-down RMLD based on a “call by need” approach [2]-[5]. For a 
binary linear block code A and its linear subcode B, let A/B denote the set of 
cosets of B in A. Let / C [l,iV] and D be a coset in ’pjCjCj. 

Local Optimum [1] : For any codeword u' G C such that pju' G D, there 
is u G C such that 

piu = v[D] and L{u) < L{u'). (2) 

v\D] is called the most likely local (MLL) sub-codeword in D. 

Let I and J be disjoint subsets in [1, N], For u G piV^ and v G pjV^ ,uov 
denotes a binary (|/| -|- | J|)-tuple w such that pjw = u and pjw = v. Note that 
u o V = V o u, hy definition. For u G piC and v G pjC, u and v are said to 
be adjacent, if and only if tt o v g piujC . For Ui C pjV^ and Uj C pjV^ , 
define Uj o Uj a,s {u o v : u G Uj and v G Uj}. Iff u and v are adjacent, 
{u + Ci} o {t) -I- Cj} C piujC and therefore, cosets {u + Ci} and {u -I- Cj} are 
said to be adjacent. The following lemma holds. 

Decomposition Lemma [1] : Let / and J be disjoint nonempty subsets of 
[l,fV]. Let D be a coset in p/ujC'/C'/uJ- Then there is a unique pair (Dj,Dj) 
such that Dj € pjC/Cj, Dj G pjCjCj and v[D] = v[Dj] o v[Dj]. 

Section Tree : A binary tree, called a section tree, is used to show the par- 
tition of local decoding sections in RMLD. A section tree ST is chosen indepen- 
dently of received signal sequences. Each node of ST represents a section and is 
labeled where a is a binary sequence. The level of node is deflned as |a|, the 
length of a. The root node represents [1, N] and is labeled I\. Nonleaf node has 
two successor nodes denoted lao and lai, called a brother to each other. A com- 
plete uniform binary section tree with N = 2™, jJaKthe length of section 1^) = 
and 0 < |a| < m represents a uniform binary sectionalization. 

We abbreviate piC/Cj as Tj, 1^ as a and Tj^ as T^. For any index a and 
an integer I with 1 < / < |Tq|, let Va{l) denote the MLL sub-codeword with 
the l-th smallest discrepancy in T^, that is, with the smallest discrepancy in 
UL=i{'*^“(^) + C'q}. From Decomposition Lemma, there is a unique pair 
ia{l) and ja{l), such that 1 < ia{l) < \Tao\, 1 < ja{l) < \Tai\ and 

aiP) — ’^ao(^CK(0) ^ ^al(jct(0)' (^) 

The most likely codeword va( 1) is derived from Uo(iA(l)) and Ui(ja( 1)) which 
can be obtained in turn recursively by (3). Simulation results [2]-[4] show ia{l) «C 
\Ta\ or ja{l) "C \Ta\ for almost all cases of relatively small |o;|. To make effective 
use of this fact, top-down RMLD is designed. 

Suppose Vao{i) (or Vai{j)) has been found. Then how can we And the best 
V which is adjacent to Vao{i) (or Uai(j))? As is shown in Sections 2 and 3, 
u is in a small block of Tai (or T^o) by analyzing the adjacent structure. For 
example, if A = 0, then the block consists of only a single coset. The block can be 
specified by conditional syndromes introduced in Section 3. In Sections 4 and 5, 
a procedure for finding Va{l) and two different types of sufficient conditions that 
Vao{i) o Vai{j) = Va{l) are presented. 
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2 Adjacency 

For / C [ 1 , N], define I = [ 1 , N] \ I. Let J be a subset of [ 1 , N] disjoint from I, 
called a conditional subset. For w G pjC, called a condition vectors, define 

= {u G piC : uow G piajC}. ( 4 ) 

For u G Aj\j{w) and u' G piC, u' G Ai\j{w) iff 

u + u' G PiCj. ( 5 ) 

That is, Anj{w) is a coset of pjC/pjCj, abbreviated as A^j. 

Let Bi,B2,Bs be linear block codes such that Bi A B2 A B3. A coset 
A>2 G B1/B2 consists of \B2/B^\ cosets in B1/B3. Let D2/B3 denote {D3 G 
Bi/B^ : £>3 C £>2} and {BijB2)lB^ denote the family of cosets {£>3 G D2/B3 : 
A>2 G Bi/B2}- Each £>3 G D2/B3 is called a B1/B2 block. 

Since pjC A piCj A Cj, Tj{= piC/Ci) is partitioned by {pjC /pjCj) /Ci. 
Each block is called an Aj\j block of the same size Bj\j = \piCj/Ci\. If J = /, 
then PiCj = Cj and A^j = £/, that is, an Aj^j block consists of a single coset 
of £/. 

Let {Ii, I2} be a partition of I. J may be empty. The following lemma holds. 



Lemma 1. (Adjacent Structure) 

(i) For u and u' in A/|j(m), suppose 



PhUopi^u' G Ai\j{w). 


(6) 


pi^u' opi^u G Ai\j{w), 


( 7 ) 


u + u Gp/jC^^ujOPAC'/iUJ- 


(8) 



(ii) Conversely, if it G Anj{w),u' G piC and (8) holds, then u' G Aijj(w) 
and (6) and ( 7 ) hold. 

(Proof) Define ppu = Ui and ppu' = u[ for i G { 1 , 2 }. 

(i) From ( 4 ), Ui o U2 o w and u\ 0U2OW are in piujC. If o 162 G Ai\j{w), 
then Ui o u'2 o w is also in pujjC. Hence, Ui o U2 o w + u\o u^o w + Ui o 
u'2 o w = u'l o U2 o w G piujC. That is, ttj o U2 G Aj\j{w). Since tti o U2 
and u'l o u'2 G Ai\j{w), Ui + rtj G PiiCj^jjj and U2 + u'2 G PhCj^jj- Since 
u + u' = {ui + u'l) o [u2 + u'2), (8) holds. 

(ii) Since u G Aiyj{w) and u + u' G Pi^Cj^^ o pi^Cj^jj C piCj, from ( 5 ) 

u' G Ai\j{w). From (8), U2 + u'2 G PhCj^, that is, 0 /^ o («2 + u'2) oOj G 
PiujC, where 0 /^ and Oj denote zero vectors over Ii and J, respectively. 
Since U1OU2OW G piujC, Uiou'20w G piujC, that is, o 162 G Ai\j{w). 
From (i), ( 7 ) also holds. A 
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Define 

Di{w) = Ai^\j{w)/Ci^,i& {1,2}. (9) 

The following graph provides a good insight into the adjacency relation between 
cosets in Di{w) and D2{w) in Aj\j{w). 

Adjacency Graph : Define Ga as a bipartite graph such that (i) the two sets 
Ni and N2 of nodes labeled with cosets in Di{w) and D2{w), respectively, in a 
one-to-one way and (ii) two nodes labeled with <5i G Di(w) and with S 2 G D2{w) 
are connected by a branch with label o S2 iff i5i o (^2 C Anj{w). A 

It follows from (4) that for i G {1,2}, 

Ph^i\j(w) = Ai.\j{w). ( 10 ) 

Hence the set of branch labels in Ga, denoted B{Ga), is 

Aj\j{w)/{Gi,oGi,). ( 11 ) 

Note that 

PiG A piGj A PijGj^;jj o pi^Gj^ A C/j o Ci^. (12) 

Then, A/|j(u;) € pjG/pjGj is partitioned into Anj{w)/{pjGj^ o p^.^Gj^), 
whose each block (a coset of PiG/{pi^Gj^^opj^Cj^jjj)) consists of IpiiGj^jjo 
PI 2 ^TaJj\/\^Ii ° cosets of piG/{Gi^ o C/j). The resulting set of blocks is 
a partition of B{Ga)- Therefore, (i) and (ii) of the following lemma hold from 
Lemma 1. 

Lemma 2. (i) Ga consists of \piGj\/\pi^C-j^;jjOpi.^GYjjj\ isomorphic com- 

plete bipartite subgraphs, called parallel components, and there are no cross 
connection between them. 

(ii) For a parallel component P, its label set of branches, denoted B{P), is 
D/{Gi^oGi.^), where D is a coset in Aj\j{w) / {pi^Gj^;jjOpi.2Cj^^). The two 
label sets of nodes, denoted Ni{P) with (1, 2}, a,re pi,B{P). For any U1OU2 C 
81062 G B{P), Ni{P) = A/.|(/.,uj)(Mi' ow)/Gi^ G {piiC /piiCj^) /Gii, 
where i' = 2, \ for i = 1,2, respectively. 

(iii) For different <5i 0^2 G B{P) and S[oS 2 G B{P'), they are included in the 
same coset of pjG/Gj only ii P ^ P' . 

(Proof) (iii) For different i5iO(i2 G B{P) and 5{o5'2 G B{P'), suppose 5ioJ2-l- 
5 }o 6'2 = {5^ + 6 {)o {52 + 5'2 ) G Gi. Since {pi,Cj^opj^Gj^)nGj = Gi,oGi„ if 
P = P', that is, i5i o i52 -I- <5} 062 = (i5i -I- 5}) o (52 -I- 5^) C pj^ Cj^opj.^Gj^, then 
Si + Si G Gi^ for i G {1,2}. Since Si and 5' G PIiG/GI^, Si = Si, a contradiction. 

Property (iii) of Lemma 2 is refined as follows: For a parallel component P, 
Ti{P) = {D G Tj : there is 5i o ^2 G B{P) such that 5i o ^2 C D}. 

Further property of Ga'- The set of parallel components is partitioned into 
\piCj\/\Gi + (p/iC'T^op/^C'j^)! blocks of the same size \Gi + (PhGj;^ o 
Pi2 ^ i-,^\jj )\/\Pii ^ i^yjj such a way that for parallel components P 

and P', HP and P' are in the same block, then Ti{P) = Ti(P') and otherwise, 
T/(P) nTf(P') = 0. 
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3 Conditional Syndromes 



For a linear code A,A^^H{A) and dim(A) denote the dual code of A, a parity 
check matrix of A and the number of information symbols of A, respectively. 
For a matrix M, M'^ ,r{M) and rank(M) denote the transposition, the number 
of rows and the rank of M, respectively. For a linear subcode B of A, define 
diYuA/B = dim A — dimS. We can construct a parity check matrix of B whose 
submatrix of the last dim(7l-’-) rows is a parity matrix of A. The remaining 
submatrix of the first diva A/ B rows is called a syndrome matrix of Aj B, denoted 
H{A/B). For an appropriately chosen H{B), 



H{B) 



H{A/B) 

H{A) 



(13) 



For a linear subcode E such that A A E A B, we can construct a syndrome 
matrix A/B whose submatrix of the last d\mA/E rows is a syndrome matrix of 
A/E. The remaining submatrix is called a syndrome matrix of {A/E)IB. 

Let / be a section. For convenience, define the following /-bit order 
For i and j in [/, N], 



i < j 
1 



for i and j in / such that i < j, 

for i and j in / such that i < j in any given ordering of I, 
for i £ I and j £ I. 



For a section / of main concern, called an m-section, we use the following matrix 
as a parity check matrix of C. is a trellis oriented generator matrix 
(TOGM [6]) for with respect to the /-bit order. For 1 <i < N — K,\et ld{i) 
and tr(i) denote the column numbers of the leading ‘1’ and the trailing ‘1’ of the 
i-th row, denoted of respectively. Then by following the definition 

of TOGM, 



ld{i) < ld{i') and tr{i) ^ for l<i<i'<N — K. (14) 

For an m-section, we omit the super index I in //^^^ and 
It holds [7] that for J C [l,iV], 

{Cj)^ = pj{c^), (15) 

We will choose the following matrices i/c,j and Hj as H{Cj) and H{pjC), 
respectively. 

(HI) Hc.j ■ a submatrix of pjH whose row set is a maximal subset of linearly 
independent rows of p,jH. 

EIqj ■ the submatrix of p/i/ consisting of nonzero rows of piEL from (14). 
(H2) Hj : the matrix whose set of rows is piRj, where 

Rj = {h{i) : snp{h{i)) CJiorl<i<N — K}. 



(16) 
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It follows from (14) that rank(_ffc'_j) = t{Hc,j) and rank(_ffj) = r{Hj). 

A syndrome matrix of T/(= piCjCi) can be obtained as the submatrix 
derived from Hcj by deleting the rows of its submatrix Hj. This specific form 
of H{Ti) is denoted by Hsj. For u G piC, define the syndrome of u, denoted 
si{u), as 

sj{u) = uHgj. (17) 

Si is a linear one-to-one mapping from Tj to such that for u and u' G 

PiC, 

si{u) = si{u') u + u' G Cj. (18) 

For a nonempty subset D of a coset in pjC/Cj, define s/(D) = s/(tt) for u G D. 

Next we introduce conditional syndromes. Let I be an m-section and J be 
a set of [l,iV] disjoint from I. J is called a conditional subset. From (H2), the 
rows of iL/uJ can be partitioned into PiujRpj, PrjjRi and piujRj, where 



Ri J = {h{i) '■ sup(/i(t)) C /UJ, sup(ft.(z))n/yf 0, sup(/r(z))nJyf 0, 1 < z < N—K}. 

(19) 

The submatrix consisting of the rows of piuj{Ri U Rj) is an H{piC o pjC) 
from (H2). Since piC opjC A pujjC, the submatrix consisting of the rows of 
PiujRpj is a syndrome matrix of {piCopjC)/piujC. From (14), piRpj, pjRpj 
are linearly independent row sets. Let iL/|j and iLj|/ denote the matrices whose 
rows sets are given by piRi^j and pjRj^j, respectively. From (HI) and (H2), the 
following lemma holds. 



Lemma 3. (Adjacency Lemma) 

(i) are parity check matrices of p/Cj and pjCj, respec- 

tively. 



(ii) For u G pjC and w G pjC, uowG piujC iff uH^j = 



A 



Note that Hpj and are syndrome matrices //(p/C/p/Cj) and H{pjC/pjCj), 
respectively. 

Recall that the row set of Hgj is p/i?j j. Hence Hsj can be partitioned into 
two submatrices iF/|j and the remaining submatrix, denoted Hpn, whose row 
set is pi{h{i) : sup(ft-(z)) fl / yf 0, sup(/z(z)) n(/\J)yf0, l<z<N — K}. 

Then we have the following form of Hgj'. 



Hsj 



Hi\r 

Hi\j 



(20) 



where Hi\r is a syndrome matrix of Ai\j /Ci. 

For u G piC and w G pjC, Sj^r and S/|j syndromes of u and Sjj syndrome 
of w are defined as 



s/|k(«) = 



si\j{u) = 



sj\i{w) = 



(21) 
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It follows from (17), (20) and (21) that 

si{u) = si\r{u)osi\j{u), ( 22 ) 

and if It o m G PiujC, 

si{u) = shr{u) o sj\i{w). (23) 

For u and u' G piC, si\j{u) = si\j{u') iff cosets u + Cj and u' + Cj belong to 
the same A/|j block. That is, s/|j(m) identifies the block containing u + Cj, 
denoted A/|j[s/|j(ii)]. If uow G PiujC, this block is the same as Aj^j{w) which 
is also represented as A/| j[sj|/(u;)] for convenience. On the other hand, S/|^(m) 
identifies the coset u + Cj in the Aj\j block. The above conditional syndrome 
can be generalized to multiple conditional subsets [5]. 

4 Search Procedure 

For a nonleaf section with a = a\ai • • • a/j G {0, 1}^, we will present an outline 
of a recursive procedure for finding Va{l) based on the decomposition (3). The 
brother section of an ancestor section 1^' of can be a conditional section, 
where a' is a nonnull prefix of a. Then a conditional set is a union of sections 
whose index set is a subset of (24): 

= ai02 • • • ai-iTii, 1 < i < h}, (24) 



where 0 = 1 and 1 = 0. Empty J means no conditional set. 

Given a condition vector w G pjC, our problem is to find the l-th best MLL 
sub-codeword in Aj^\j[s] with s = Sj\j^{w), denoted by Va{J,s;l). 

Let lao and lai be a partition of /«. Either J or Jf, = JU /^5 is a conditional 
set for lab with b G {0, 1}. The following abbreviations will be used: 

Sb = (25) 

%(“) = sj,\i^^{w o u), for u G PabC, (26) 

^b(^) — (<7, Sfo, z) , for 1 ^ ^ ^Iab\J — \PabC^/ Cab\'! (^^) 

Sa,j,s,i = {si^{va(J,s;i)) : I < i < 1} , for 1 < ^ < Bj^\j = \paCj/Ca\- (28) 

Let denote the best MLL sub-codeword in those cosets D G Pah^l^ab 

which belong to Aj^_\ji^[s-^{ub{i))] block such that ({t6f,(z)} o D) ^ Sa,j,s,i- 
In the adjacency graph Ga where / = Ia,Ii = laO and I 2 = lai, Ni{w) = 
N 2 {w) = A/^pj[si] and B{Ga) = Ai\j[s\/{Gao oGai)- For a par- 
allel component P in Ga such that {mq(*) + Cao} ° {u'i{i) + Gai} G B{P), 
Ni{P) = A7^o|jJso(M'i(*))]/C'ao and N 2 {P) = jJsi(Mo(i))]/C'ai- Since 
P is a complete bipartite graph and the sj^ syndromes of branch labels in 
P are all different, Mi(z) is the best MLL sub-codeword in iV 2 (P) such that 
sg(mo(*) o m'i(*)) ^ Sa,j,s,i- Such u[{i) exists, if I < 
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From Decomposition Lemma, there exist integers jo and ji such that 1 < 



jb < with b G {0, 1}, 

jo) ’nal(</, Si, ji) (^9) 

= Mo(jo) O Ml(jl), (30) 

If follows from (30) and the definition of u'-{i) that 

Va{J,S]l) = Mo(jo) Ou[{jo) = M'i(ji) o Mi(ji). (31) 

For 1 < ib < Bj^^j with b G {0, 1}, 

Uf = {ub{i) o ub{i) : 1 < i < lb, 6 G {0, 1}}. (32) 

The next lemma provides a sufficient condition that v\U f] = Va{J, s; 1). Define 

Lb{i) = L{ub{i)), Lb{i) = L{u'^{i)). (33) 

Minimality Lemma : Suppose that 

L{v[Uf])<Lo(Jo) + Li(ii). (34) 

Then, 

v[Uf]=v^{J,s-,l). (35) 



(Proof) If jo < io or ji < ii in (30), then Va{J, s; 1) = v[Uf] from (31) and (32). 
Suppose jo > to and ji > ti. Then L{va{J, s;l)) = Lo(jo) + Ti(ji) > Lo(*o) + 
Li(ti) > L{v[Uf]). Hence (35) holds. 

5 Sufficient Conditions for Early Termination 

For I C [l,fV], let di{C) and di{x,y) denote the minimum distance of p/(C) 
and the Hamming distance between binary |/|-tuples x and y, respectively. Let 
J be a subset disjoint from I. 

For w G pjC and different x and y G Aj\j{w),x + y G piCj and therefore, 
di{x,y) > di{Cj) > diujCj > djujC. (36) 

For a subset B C Ai\j{w), 

Aj\j{w)\B C {a; G : dj{x,u) > di{Cj) for u G B}. (37) 

Hence we have the following lower bound on L[Anj{w)\B] : 

L[Aj\j{w)\B] > min L(x). (38) 

Pi {x G : di{x,u) > di{Cj)} 

uGB 
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(0,0) Lo(l) Lq(2) ••• Lo{io) x 




Fig. 1. Illustration for Minimality Lemma 



The right-hand side expression can be evaluated by an integer programming 
approach [8]. 

Example 1 : A lower bound on L{va{J, s; 1)), where s = sj\i^{w) for w G 
PjC: 

Let I = la and B = {Va{J,s]j) '■ I < j < 1} U Cg, where Cg C Uf. It follows 
from (39) that since L[Cg] > L{va{J, s; 1)), either L[Cg] = L{va{J, s; 1)) or 

L{va{J,s;l))> min L{x). (39) 

Pi {a; G : di^{x,u) > di^{Cj)} 

u^B 



That is, a sufficient condition that v[Cg] = Va{J, s; 1) is given by 

L{v[Cg]) < the right-hand side of (39). (40) 

Similarly, lower bounds on L{Vab{J, Sb', j)) and L{v^j^{Jb,s^{u)]j)) can be 
derived. 



6 On Implementation 

An effective implementation of the search procedure presented in Section 4 is 
under study [2] -[4]. Besides the results shown in Sections 2, 3 and 5, the following 
fact is also of use. 
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Lemma 4. (Transitive Invariant Lemma [5]) Suppose C is & binary transitive 
invariant code [9] and a binary uniform sectionalization is adopted. For a = 
0102 • • • o/i G {0, 1}^, define with 1 < j < by (24). Then, for J = 
with Q C [1, h], (i) Hsj^ and (ii) and depend on h and Q only. 

Reed-Muller codes and Extended permuted codes of primitive BCH codes 
are examples of binary transitive invariant codes [9]. 
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Abstract. In the literature there exist several methods for errors-and- 
erasures decoding of RS codes. In this paper we present a unified ap- 
proach that makes use of behavioral systems theory. We show how dif- 
ferent classes of existing algorithms (e.g., syndrome based or interpola- 
tion based, non-iterative, erasure adding or erasure deleting) fit into this 
framework. In doing this, we introduce a slightly more general WB key 
equation and show how this allows for the handling of erasure locations 
in a natural way. 



1 Introduction 

Reed-Solomon (RS) codes find applications in storage and communication sys- 
tems. Their algebraic structure has given rise to several low-complexity algo- 
rithms for error correction. The most well known are the Berlekamp-Massey 
(BM), the Euclidean and the Welch-Berlekamp (WB) algorithm. 

The importance of having an errors-and-erasures correcting algorithm be- 
came truly apparent in the seminal paper [9] of G.D. Forney Jr., which presents 
a generalized minimum distance (GMD) decoding method which repeatedly em- 
ploys errors-and-erasures decoding. In particular, efficient GMD decoding needs 
a fast iterative processing of Erasures, i.e., a fast way to obtain the solution for 
/ erasures from the solution with either / J- 1 or / — 1 erasures (named erasure 
deletion and erasure addition, respectively). 

The decoding of corrupted RS code words boils down to solving a key equa- 
tion. Glassical key equations are the BM key equation and the WB key equation. 
Araki et al. [1] introduced the generalized key equation of which the classical ones 
are particular examples. As is shown in Section 2, these key equations can be 
reformulated in terms of behavioral modeling. Behavioral modeling has already 
been used to provide a good understanding of errors-only decoding [15,16,17,18]. 

The main contribution of this paper is in Section 3, where our approach 
straightforwardly gives rise to a range of errors-and-erasures decoding algo- 
rithms, and where we make connections with the existing literature. We unify 
several presently known iterative errors-and-erasures decoding algorithms in one 
conceptually clear framework. We explain these algorithms and also give a new 
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proof of the correctness of classical noniterative errors-and-erasures decoding 
in terms of behavioral modeling. Further, we generalize the WB key equation, 
which gives rise to a variant of the WB algorithm with which we can handle 
erasures. 

2 General Framework 

2.1 Preliminaries on RS Codes and Key Equations 
for Errors-Only Decoding 

Let {x \ , • • • , a;„} be a subset of a finite field F with all xis distinct. We define aRS 
code as a set of codewords of the form c = {M{xi), . . . , M(cc„)), where M{x) is 
a polynomial of degree < k. RS codes are maximum distance separable (MDS), 
i.e. the minimum Hamming distance d of a (n, k) RS code equals n — k + 1. As 
a result, t errors and / erasures can be corrected H2t + f<d— l = n— k. 

For decoding, the above definition naturally leads to the key equation 



D{xi)yi = N{xi)ry ( 1 ) 

for i = 0, . . . ,n — k. Here yt and ry are data derived form the received word-in 
this decoding context all ry^’s are nonzero and yn-k = 0. The aim of errors-only 
decoding is to find polynomials D{x) and N{x) that satisfy (1) and for which 
deg N < deg D and deg D is minimal. The error locations are then computed 
as the zeros of D{x). A well known algorithm for solving this problem is the 
WB algorithm, which processes the interpolation data (xi,yi,r]i) iteratively for 
i = 0, . . . ,n — fc. In the literature rji usually equals 1. In this paper, however, 
we prefer to leave rji unspecified (possibly zero) as this allows us to incorporate 
erasure decoding in Section 3. 

Alternatively, a RS code is defined as a set of codewords which have zeros 
at zero locations z\, , z„-k- Here the zero locations are prespecified consec- 
utive powers of a primitive element in F. Decoding methods are then derived 
on the basis of the syndrome sequence {Si, . . . , Sn-k) ■= ■ ,r{zn-k)), 

where r{x) denotes the received polynomial. A relevant equation is Berlekamp’s 
classical key equation 



T(a;)S'(a;) = f7(x) mod x" . (2) 

Here S{x) := SiX -I- • • • -I- Sn-kx"'~^ is the syndrome polynomial. The aim of 
errors-only decoding is to find polynomials A{x) and Q{x) that satisfy (2) and 
for which A(0) 0 and max { deg A, deg 17} is minimal. The error locations are 

then computed as the reciprocals of the zeros of A{x). This problem is solved 
by the BM algorithm which iteratively processes the syndrome components. 
Note that A{x) corresponds to a shortest LFSR for the syndrome components 

Si 5 ■ • ■ 5 Sji — k- 

Both of the above described decoding methods are instances of polynomial 
interpolation. In the first method the interpolation points xq, . . . ,Xn-k are all 
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distinct whereas the second method performs repeated interpolation at one single 
point X = Q (these originate from interpolation requirements on derivatives of 
the key equation). We denote the latter as interpolation at (0, {0, , S'„_fc}). 

This common interpolation aspect is exploited in recent work [5] by Blackburn 
who presents a generalized interpolation method that incorporates both types 
of interpolation. 



2.2 Errors-Only Decoding of RS Codes in a Behavioral Framework 



Formulation in Terms of Behavioral Modeling. Here we recall how decod- 
ing in terms of the above key equations is reformulated as behavioral modeling 
of certain trajectories of time. Let us start with Berlekamp’s classical key equa- 
tion (2). From the syndromes Si, . . . ,Sd we define the trajectory b : Z+ i— >■ 
given by 



b = 



Sd-i 

0 







0 




0 




0 


1 

o 
1 


1 


1 


5 


o 


1 


o 




( 3 ) 



It can now be easily verified that A{x) and fi{x) are solutions of (2) if and only 
if the trajectory 5 is a solution of the difference equation 



[d(a) 






Wi 

W2 



= 0 



( 4 ) 



in the variable 



Wi 

W2 



: I— >■ F^. Here a stands for the backward shift operator. 



Let us now consider the WB key equation (1). From the interpolation data 
we define d trajectories bi : Z+ i— F^ given by 



bi = 



y^ 



(1, 



Xi , Xj 






for f = 0, . . . , d — 1. 



( 5 ) 



Clearly, the polynomials D{x) and N{x) are solutions of (1) if and only if all 
trajectories bi {i = 0, . . . ,d — 1) are solutions of the difference equation 



[D{a) 



- ^(^)] 



Wi 

W2 



= 0 . 



( 6 ) 



For decoding we require in addition that the row degrees of [A(x) — f2{x)] 

and 

[D(x) — N(x)], respectively, are minimal. Here the row degree of a polynomial 

row vector is defined as the maximum degree of its entries. Furthermore, for 
decoding, we require H(0) yf 0 for the solution of (4) and deg N < deg D 
for the solution of (6). The fact that these requirements differ is solely due to 
the fact that Berlekamp’s key equation (2) aims at reciprocals of error locations 
rather than at the locations themselves. 



Remark 1. Note that, if we process the syndromes in a reversed order then 
the requirement that H(0) yf 0 is to be replaced by the requirement that deg 
17 < deg A. 
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Having reformulated the two decoding problem statements in a behavioral set- 
ting, how do we go about solving it? A model of the form (4) 



[A(a) 



- ^( ct )] 



Wi 

U)2 



= 0 



clearly gives rise to a linear cr-invariant solution space ( “behavior” ) spanned by 
infinitely many trajectories from Z_|_ to F^. For our decoding we require that this 
behavior contains the given trajectory b, defined by (3). The smallest cr-invariant 
behavior B* that contains b is clearly finite dimensional and given by the span 
of b, ab, . . . , a‘^b. This behavior B* is called the Most Powerful Unfalsified Model 
(MPUM) for the data set {b}, see [23]. For B* we can immediately write down 
a representation, namely 



1 

0 



— (S'lCr Sd-icr‘^ 



w = 0 



( 7 ) 



The above representation is not unique-in fact, all other representations of B* 
can be obtained by left multiplying the matrix in (7) by a unimodular polynomial 
matrix, i.e. a polynomial matrix whose determinant is a nonzero constant. Note 
that it follows that the degree of the determinant of any matrix that represents 
B* equals d = dim B * , whereas the sum of the row degrees of any such matrix is 
larger than or equal to d. It can be proven [23] that there exists a representation 
of B* for which equality holds. This representation has minimal row degrees and 
is called “row reduced” . A solution [A(a;) — 0{x)] of the decoding problem is 

simply found by selecting from the two rows in a row reduced representation 
of B* the row of minimal degree that satisfies the additional requirement (here: 
A(0) ^ 0). 

In the case of the WB key equation (I) the approach is completely analogous: 
simply replace {6} by {bo, . . . , bd-i}, defined in (5) and find a row reduced 
representation for its MPUM accordingly, see [18,19]. In this case we choose the 
row of minimal degree that satisfies the additional requirement that deg N < 
deg D. 



Algorithms. A well known noniterative algorithm for solving the above decod- 
ing problems is the Euclidean algorithm. In [18] it has been explained that the 
Euclidean algorithm simply brings the matrix in (7) in row reduced form. 

Alternatively, the general iterative behavioral modeling procedure of [23, p. 
289] can be used. For key equation (2) it is explained in detail in [15] how the 
BM algorithm can be interpreted as an instance of this procedure. 

It has been shown in [18,19] how the same general iterative behavioral mod- 
eling procedure of [23] can also be put to work to produce an iterative algorithm 
for solving key equation (1). The resulting algorithm closely resembles the WB 
algorithm but involves a different update parameter [18, Sect. 4.4]. It plays a 
key role in the sequel of this paper. We believe that the behavioral set-up en- 
ables a particularly transparent explanation. For this reason we now explain the 
algorithm as clearly as possible, see also [18, Thm. 4.2]. 
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Algorithm 1. As a first step we initialize 



R-i{x) 



1 0 
0 1 



Note that the row degrees L^i and L'^i of this matrix both equal 0. The behavior 
represented by R^i{a)w = 0 equals {0}. We now proceed by processing the data 
{xi, Vi, rji) step by step. At step i {i = 0, . . . ,d— 1) we process the corresponding 
trajectory bi given by (5). For this, we first compute the error trajectory := 
Ri-i{a)bi, which is easily shown to be of the form 



e,: = 



r, 



(1. 






In fact, Ai and R are computed as 



R 



Ri — l iXi) 



Vi 

Vt 



We then choose an update matrix Vj(x) such that Vi{a)w = 0 represents the 
MPUM for {si}. Defining Ri{x) := Vi{x)Ri-i{x), we then have that Ri{a)w = 0 
is a representation that models all data bo,. . . ,bi processed so far. We need to 
choose Vi{x) carefully, so as to produce a row reduced matrix Ri{x). Recall that 
this means that the sum of the first row degree L\ and the second row degree 
Lf of Ri{x) equals the degree of the determinant of Ri{x). This is achieved by 
making sure that only one of the row degrees of (x) is increased by one when 
left multiplied by Vj(x). The following specification satisfies this requirement: if 
{R yf 0 and L]_^ > or Z\j = 0 then 



V^{x) 



R 

0 



X — Xi ’ 



and, if otherwise. 



Vi{x) 



X — Xi 

R 



0 

-A 



R\-i Lj L1_^ + 1 



R\-i + 1 l 1 L^_i . 



Note that for efficient implementation it is sufficient to update only L] since 
L\ + Rj = i + 1 each step i. After processing all data {xi,yi,rji) for i = 
0, . . . , d — 1, the matrix Rd{x) is a row reduced representation of the MPUM B* 
of {6o, • • ■ , bd-i}. It can be proven that Rd-i{x) also has the property that the 
degree of its lower left entry is strictly smaller than the degree of the lower right 
entry. From the row reducedness of Rd{x) it then follows that the upper left 
entry D{x) and the upper right entry N{x) are a solution of key equation (1) 
for which deg N < deg D and deg D is minimal. 



Remark 2. The above algorithm can be easily adapted (see [5]) so as to process 
repeated interpolations at x = 0, say involving the reversed syndrome polyno- 
mial Sd-ix -I- • • • -k S'ix'^“^. This straightforwardly gives rise to the algorithm 
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of [18, sect. 4.2] which computes a polynomial whose zeros are the error locations 
rather than the reciprocals of the error locations, see Remark 1. In this case the 
discrepancies Ai and Fi are computed as 






coeff of x"‘ in Ri_i{x) 



Sd-ix + ... + Six'^ ^ 
1 



3 Errors-and-Erasures RS Decoding 

In this section we present various methods for errors-and-erasures decoding, most 
of which can be found in the literature. The main aim of this section is to cast all 
methods into one conceptually clear framework by reformulation in behavioral 
modeling terms. 



3.1 Noniterative Processing of Erasures 

Here we deal with a situation where f < d erasure locations ai,a 2 , ■ . . ,af are 
a priori specified, for example through the erasure locator polynomial F(x) := 
— ajx). We seek to find the corresponding error values (possibly zero) 
as well as additional errors in the non-erased locations. Substituting zeros in 
the erased positions we first derive syndrome values Si,. . . ,Sd-i. Errors-and- 
erasures decoding amounts to finding the shortest LFSR A{x) for S\,. . . , Sd-i 
that contains F{x) as a factor. Methods for solving this problem are well known 
and can be found in e.g. [6,22]. In this subsection we first seek to reformulate the 
problem in behavioral modeling terms. We then outline how a range of different 
classical solution methods fits into our framework. 

In terms of trajectories, the above requirement that F{x) is a factor of the 
errors-and-erasures locator polynomial A(x) is easily reformulated as the require- 
ment to model not only the trajectory b : Z+ i— >■ given by (3), but also, for 

j = 1, . . . , /, the trajectories 



br= 



( 1 1 



...) 



(8) 



With S{x) := Six H h Sd-ix^ a representation for the MPUM for the set 

of trajectories {b, bi,. . . , bj} is readily obtained as 



F{a) 

0 



-S'(cr) 

—d 



w = 0, 



where S{x) := F{x)S{x) mod x‘^ is the modified syndrome, see e.g. [22]. 
The task at hand is now simply to bring the matrix in the above equation 
in row reduced form. As described below, this can be done in a convenient 
way by making use of the next lemma (whose proof is straightforward) and the 
decomposition S{x) = Si{x) + x^ S 2 {x), where Si{x) := Six + S 2 x‘^-\ — ■ + SfX-^ 
and S 2 {x) := Sf+ix -I- • • • -I- Sd-ix‘^~^~^ . 
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Lemma 1. Let a{x) and b{x) he polynomials of degree f and let c{x) he a poly- 
nomial of degree < f . Let F{x) be a 2x2 polynomial matrix that is row reduced. 
Then 



F{x) 



a(x) 

0 



c(x) 

b(x) 



is row reduced. 



Theorem 1. Let 



A{a) 

A(cr) 



— i7(cr) 

-uj{a) 



w = 0 



be a row reduced representation of the MPUM of the trajectory 



0 

Define 



'A(x) 


—f2(x) 




'A(x) 


— f2(x) 


-p(x) 


-5i(x) 


_A(a;) 


—dj(x) 




_A(x) 


—oj(x) 


0 





Sf+i 

0 



Then R{a)w = Q is a row reduced representation of the MPUM of{b, bi, . . . , bf}, 
as defined in (3) and (8). 



Proof. Applying the above lemma for a{x) = F{x), b{x) = x^ and c{x) = 
—Si{x), it follows that R{x) is row reduced. It can also be easily seen that 
R{a)w = 0 represents the MPUM of {b, bi, . . . , bf}. □ 



Because of the above theorem we can perform errors-and-erasures decoding by 
computing the modified syndrome values Sf+i, . . . Sd - 1 and constructing a short- 
est LFSR for them. The latter can be done either noniteratively, by applying the 
Euclidean algorithm on the polynomials x‘^~^ and S 2 {x) or iteratively by apply- 
ing the BM algorithm on 5/+i, . . . Sd-i. Both methods are classical and can be 
found in e.g. [6], see also [8]. The BM type method is essentially equivalent to 
the method recounted in [21, Sect. II-A] and [6,13]: it can be easily verified that 
applying BM on ^/+i, . . . Sd-i is the same as applying BM on Si, . . . ,Sn and 
initializing with 

'F{x) O' 

0 X 



3.2 Iterative Processing of Erasures 

Erasure Deletion through Interpolation at Distinct Points. The most 
natural way [2,3,4,20] to deal with erasures is to employ an approach based on 
interpolation at the code locations. Indeed, in this approach the interpolation 
points can be chosen complementary to the erasure locations, which are thus 
ignored (“erased”). In fact, we can regard the preliminary step of the WB algo- 
rithm, in which k entries are re-encoded, as a case of erasures-only decoding in 




350 M. Kuijper et al. 



which n — k = d — 1 code locations are erased. In each subsequent step of the 
WB algorithm one erasure is deleted from the full set of d — 1 erasures, until at 
the last (d — l)st step all erasures have been deleted and errors-only decoding 
is completed. Thus the WB algorithm and the closely related Algorithm 1 can 
be regarded as instances of an iterative errors-and-erasures decoding method in 
which erasures are successively deleted. 



Syndrome-Based Erasure Addition. Alternatively, it is possible to formu- 
late a syndrome-based errors-and-erasures decoding method that processes the 
erasures iteratively, as presented by Kotter in [14]. Indeed, the exposition in 
Section 3.1 is easily modified to reformulate decoding as the construction of a 
row reduced representation for the MPUM of the data set {5, bi, . . . , by}, where 



b := 








'o' 




'o' 


1 

o 
1 


1 


1 


1 


0 




and, for j = 1, . . . , /, 




1 

0 






(9) 



(10) 



In the notation of Section 2.1, the decoding problem is thus an interpolation 
problem with interpolation data (0, {0, S'd_i, . . . , S'!}), (ai, 1, 0), . . . , (a/, 1, 0). 
This approach is close to the work by Kotter [14] who, in behavioral terms, 
first constructs a row reduced representation for the syndromes, then takes its 
reciprocal model and proceeds by performing interpolation at the erasure loca- 
tions. In our set-up we process the syndrome components in a reversed order so 
that a reciprocal model needs not be computed. Note that the order in which 
erasures are added is not important. In fact, erasures can even be added after 
any intermediate syndrome processing iteration, an observation which was also 
made in [13], where a similar algorithm is presented. 



Syndrome-Based Erasure Deletion. In [21] Taipale and Seo employ an era- 
sure deleting approach that is syndrome-based. Their algorithm produces a poly- 
nomial whose zeros are the reciprocals of the error locations. Below we present 
an algorithm which resembles the algorithm in [21] but produces a polynomial 
whose zeros are the error locations. We found that setting up the algorithm in 
this way rather than in the reciprocal domain enhances its insightfulness. Similar 
algorithms to ours have been presented in [10,11,12]. 

For our syndrome-based erasure deletion approach, we first consider erasures- 
only decoding, specifying d — 1 erasure locations ai, a 2 , ■ ■ ■ , (Xd-i and defining 
n^) ■■= Uj~= _^(x — Uj). We initialize our algorithm with 



Rq{x) 



r{x) 

0 



-S{x) 

rr^d ’ 




Framework for Errors-and-Erasures Reed-Solomon Decoding 351 



where S{x) := r{x){Sd-ix-\ mod Note that the representation 



r{a) 

0 




w = 0 



models {b, bi, . . . , bf}, given by (9-10). Erasure deletion comes down to remov- 
ing, one by one, the erasure trajectories bj {j = 1, ... ,d — 1). After erasing all 
d — 1 erasures, the output of the algorithm achieves errors-only decoding. Not 
surprisingly, the algorithm operates inversely to Algorithm 1. For the sake of 
brevity we omit its proof here. 



Algorithm 2. Initialize 



Rq{x) 



r(x) 

0 




LI := d — 1 and Lq := d . 



At step i, process the erasure Oj (i = 1, . . . , d — 1) by computing 



A. 






Then define Ri{x) := Vi{x)Ri-i{x) where 

if ( L]_^ > L"^_i and R 0 ) or Ai = 0, then 



Vi{x) := 





L] := - 1 and Lj := 



and, if otherwise. 



Vi{x) := 




0 



L] ■■= LU 



and Ll := LI_^ - 1 . 



Now, the zeros of the upper left entry of Ri{x) are candidate error locations for 
errors-and-erasures decoding with d — 1 — i erasures specified. 

Note again that for efficient implementation only L\ needs to be specified since 
-I- Lf = 2d — 1 — i at each step i. 



4 Conclusions 

In this paper we put behavioral systems theory to work to provide a unified 
explanation of a range of iterative errors-and-erasures decoding algorithms in 
the literature. In doing this, we introduced a slightly more general version of 
the WB key equation (by introducing the r]i in equation (1)) to accomodate the 
handling of erasure trajectories. We classified several known iterative procedures 
for errors-and-erasures RS decoding and gave an overview of the relationships 
between our framework and the currently known schemes. 
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Abstract. An algorithm for evaluating the decoding performance of 
maximum likelihood decoding (MLD) with threshold test over a binary 
symmetric channel(BSC) is presented. The proposed algorithm, which 
is based on the dynamic programming principle, computes the exact 
values of correct correction, rejection and undetected-error probabilities. 
The computational complexity of the algorithm is 0(n2d“^)"), where n 
and r denote length and coding rate of the code. 



1 Introduction 

Binary linear codes such as BCH codes are widely exploited in practical error 
control systems. On the receiver side of the such systems (e.g., automatic repeat 
request(ARQ) systems, concatenated coding systems, product coding system, 
etc.), maximum likelihood decoding (MLD) with rejection test is often used. The 
rejection test examines whether the output of a ML decoder is reliable enough 
or not. If the output of the ML decoder is rejected, the received word is treated 
as an erasure. In an ARQ system, the receiver sends a request for retransmission 
of the erased block to the sender. In a concatenated coding system(or a product 
coding system), the erasure information of an inner code is also utilized for outer 
code decoding. The erasure information improves overall decoding performance 
of a concatenated coding system. 

In order to design an error control system including MLD with rejection 
test, we need to evaluate its decoding performance. There are three probabilities 
that we would like to evaluate: the correct correction probability Per, the re- 
jection probability Prj and undetected-error probability Pud- In [1]> Hashimoto 
presented performance analysis of several rejection tests and compared their per- 
formances based on their error exponents. The exponents reveal the asymptotic 
behavior of the rejection tests. Hashimoto also reported simulation results for 
several short codes such as BCH codes of length 15,31 [2]. Almost all rejection 
tests (which he has tested) give similar performances. j^From the observation, he 
conjectured that there are no (or few) differences on performance among them 
over a binary symmetric channel(BSC). 



S. Bozta§ and I.E. Shparlinski (Eds.): AAECC-14, LNCS 2227, pp. 353—362, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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In this paper, we discuss exact calculation of the decoding performance of 
MLD with a rejection test. In particular, we here only deal with threshold test 
as the rejection test. The threshold test accepts an output of the ML decoder 
if the weight of the estimated error is smaller than or equal to r, where r is a 
predetermined threshold value. Otherwise, the threshold test rejects the output. 
Although the decoding scheme is easy to describe, it is not easy to analyze it 
even for a BSC. This is because Prj is closely related to enumeration of the 
complete coset weight distribution of a binary linear code. The complete coset 
weight distribution is the set of the weight distributions of all the cosets of C. 
The computation of the complete coset weight distribution is time-consuming; it 
takes 0(n2")-time with a brute force algorithm[ll], where n denotes code length. 
Furthermore, there are few codes whose complete coset weight distribution is 
known. These difficulties prevent us deriving the rejection and the undetected- 
error probabilities of a non-trivial code. 

A new algorithm for computing P^r, Prj and P^d over a BSC is presented in 
this paper. The computational complexity of the algorithm is where 

r denotes coding rate of the code. Thus, the proposed algorithm is applicable to 
any binary linear code with redundancy up to nearly 25-30 bits with a typical 
computer. For example, the rejection and the undetected-error probabilities of 
several BCH codes, such as the (63,39,9) BCH code, have been successfully 
computed with the proposed algorithm. 

The proposed algorithm may be used also for the decoding performance anal- 
ysis of the Chase algorithm and list decoding algorithms which can correct errors 
of weight beyond [(d — 1)/2J, where d denotes minimum distance of the code. 

2 Preliminaries 

2.1 MLD with Threshold Test 

Let C be an (n, k, d) binary linear code, where k denotes dimension of the code. 
A codeword x G C is assumed to be transmitted to the BSC with the bit error 
probability p. The vector y is the received word such that: y = x (B the error 
vector e occurs with the probability ^ notation wh{x) 

denotes the Hamming weight of x. The operator © represents the component- 
wise addition over F 2 , where F 2 is the Galois field with two elements. 

The following explains the decoding rule of MLD with threshold test consid- 
ered here. 



[MLD with threshold test over BSC] For a given received word y, we first 
perform MLD and obtain an estimated word x satisfying 

X = argmax{P(y|a;) : x G C}, (1) 

where P(yjx) = — pj'^-dHix,y) denotes the Hamming 

distance function. We should clarify the meaning of argmax in (1). Let / be a 
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real-valued function whose domain is a finite set X with a total order. We define 
argmax{/(a;) ■. x & X} = min{a; G X : f{x) = fmax}, (2) 

where fmax = max{/(x) : x £ X} and the minimum in the right hand side of 
(2) means the minimum with respect to the total order of X. In a similar way, 
arg min is also defined. In (1), we implicitly assumed that a total order is defined 
on C. However, we do not specify the order because the order does not affect 
the following analysis. 

After MLD, x is examined by the following threshold test: if the weight of 

the estimated error e = y(Bx is larger than r, then x is rejected. Otherwise, the 
decoder accepts x and outputs it. The parameter r(0 < r < p) is the threshold 
parameter and p is the covering radius of C. □ 

The events which occur after decoding are classified into the following three 
categories: correct decoding, undetected- error and rejection. We assume that ev- 
ery codeword in C is transmitted equally likely. The correct decoding probability 

Per is given by Per = (1/2^) “ x,WH{e) < t\x). The undetected- 

error probability Pud is given by Pud = (1/2^) Y,xeC x,WH{e) < t\x). 

The rejection probability Prj is given by Prj = (1/2*) > '^1®)- 

j,From the definition of these probabilities and the decoding rule (1), we have 
the relation Per -b Pud + Prj = 1- 

2.2 Coset of a Binary Linear Code 

An {n,k,d) binary linear code C gives coset decomposition of the vector space 
iff. Let the weight of a coset be the Hamming weight of the minimal weight 
vector in the coset. A binary vector whose Hamming weight is minimal in a 
coset is called the coset leader of the coset. The number of the coset leaders 
with the Hamming weight i(0 < t < p) is denoted by ai\S\. The p 1-tuple 
(oo, 011 , 012 , ■■■ , CKp) is called the weight distribution of coset leaders of C. 

Let L{C) = {vi,V 2 , ■ ■ ■ ,V 2 n-k} be a set of the coset leaders of C. A coset 

including the coset leader v G L{C) is represented hy Cv = {u ® v : u G 
C}. MLD can be achieved by standard array decoding (see [4]). Standard array 
decoding is the following procedure: if a received word y belongs to Cv', the 
decoder outputs x = y ®v' as the estimated word. 

3 Performance of MLD with Threshold Test 

3.1 Correct Decoding Probability 

Hereafter, we assume that the transmitted word x is the zero vector 0 without 
loss of generality. The notation 0 means the n-tuple of zeros. Using the notation 
on cosets defined above, we can rewrite Per into the following form: 



Per = P{x = 0,WH{y) < t|0) 



( 3 ) 
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E (4) 

y&L{c),WH(y)<r 

It is evident that the received word y is successfully corrected when y G L(C) 
and wniy) < t. Thus, the above equation can be further simplified in such a 
way: 

r 

= (5) 

i=0 

The equation (5) implies that the knowledge on the weight distribution of coset 

leaders is required for evaluating Per - When t = p, we have Pml = 

which is the correct decoding probability of MLD (without threshold 
test) [3]. 

3.2 Calculation of the Probabilities: Case I (r < [(d — l)/2j) 

In the case where r < [(d — 1)/2J, the correct decoding region {y G L(C) : 
WH{y) < t} coincides with the n-dimensional Hamming sphere {u G F 2 ■ 
wh{u) < r}. This property greatly simplifies the analysis on Per, Pud and Prj- 
For example, it is known that ai = (") holds for 0 < t < [(d — 1)/2J [3]. Hence, 
we can easily compute Per by (5). 

It is also known that, for the case r < [(d — 1)/2J, the probabilities Prj 
and Pud can be obtained based on the knowledge of the weight distribution of 
C[5][6], 

3.3 Calculation of the Probabilities: Case II(r > L(d-1)/2J) 

In the case where r > [(d — 1)/2J, the situation becomes complicated. This is 
because the acceptance region is no longer a Hamming sphere. We require more 
detailed feature of C than its weight distribution. 

If the received word y is fallen to a coset with weight larger than r, the 
standard array ML decoder outputs y © e, where ru_f/(e) > r. Therefore, the 
rejection probability is given by Prj = Xyey(C r) where V{C,t) is 
the set of the vectors contained in the cosets of C with weight larger than r: 

t ) = [JveL{C),WH{v)>T ■ 

Let Wc-i,{x,y) be the weight enumerator of the coset Cv- Wcy{x,y) = 
Using the weight enumerator of the cosets, the re- 
jection probability Prj is represented by Prj = J2veL{C)nv{C,r) ^CviPi 1 “ P)- 
The undetected-error probability Pud is given by Pud = 1 ~ Per ~ Prj ■ 

As we have seen above, the knowledge of the complete coset weight distribu- 
tion enables us to compute Prj and Pud when r > [(d — 1) /2J . 

4 Algorithm for Computing Rejection Probability 

An algorithm for computing the rejection probability for a given triple (C,p,r) 
is presented here. As discussed in Section 3.2, there is a simple method for 
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computing these probabilities when t < [(d — 1)/2J. The following algorithm 
makes computation for t > [(<i— 1)/2J feasible. 

4.1 Proposed Algorithm 

An {n — k) X n parity check matrix of C is denoted hy H = {hi, h. 2 , . . . , h„}, 
where hi is the i-th binary column vector of length n — k. In this paper, we 
consider that the binary column vector hi belongs to 

For each cr G and 0 < t < n, we define P{cr,t) and W{a-,t) by the 

following recursive formulas: 







(6) 




= (1 - p)F((T,t - 1) + pP((T fBhtP - 1) 


(7) 




in„,o)S 

1^ 00, (T 0 


(8) 




W{cT,t) = min{IF(cr, t — l),IF(cr© ht,t — 1) -|- 1}. 


(9) 


The next lemma plays a key role in the proposed algorithm. 




Lemma 1. 


The probabilities Per, Prj and Pud are given by 






T 

i—0 


(10) 






(11) 




(TGU{C,r) 






Pud — 1 Per Ppj ■> 


(12) 


where 


U{C,t) = {cr G : IF(cr,n) > r} 






(13) 


and ai’s {Q < i < p) are obtained by 






ai = (cr G : W{cr,n) = i} . 


(14) 


Proof: For cr 


G P 2 ~^, 0 < t < n, we define C{cr, t) by 






C(cr, t) = |i6 G : (m • = cr}. 


(15) 




C(<T,O) = 0, 


(16) 



where 0"“* represents the zero vector of length n — t. The symbol • denotes the 
concatenation operator. j^From the recursive formula on W (cr, t) (9) and the def- 
inition (15), we see that W (cr, t) coincides with the weight of the minimal weight 
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vector in C{cr,t). It is also obvious that C{cr,n) is the coset of C corresponding 
to the syndrome cr. Since W{cr,n) is the weight of the minimal weight vector in 
C{cr,n), W{(T,n) can be considered as the weight of the coset corresponding to 
syndrome cr. This explains the validity of (14). 

The recursive formulas on C{cr,t) and P{cr,t) lead to 

P{(T,t)= (17) 

ceC(<T,t) 

Note that P{cr,n) can be rewritten into: 

P{a,n)= (18) 

c^C(cr,n) 

= E ( 19 ) 

yeC{(T.n) 



The right hand side of (19) is the probability such that the received word y is 
fallen into the coset corresponding to syndrome cr under the assumption a; = 0. 
The rejection probability is, thus, obtained by 

Pri = E ^(y|o) (20) 

y&V{C,r) 

= E P(o-,n). (21) 

(T&U{C,t) 

□ 

The recursive formulas (7) and (9) naturally give the following algorithm for 
computing the target probabilities. 



[Proposed Algorithm] 

Step 1 Set P(cr, 0) and lT(cr, 0) from to (6) and (8). 

Step 2 Set t := 1. 

Step 3 Compute P{cr,t) and W{cr,t) for each cr G from (7) and (9). 

Step 4 If t < n, then set t := t + 1 and go to Step 3. 

Step 5 Compute {Pen Prj, Pud) from Lemma 1 and output them. □ 

The proposed algorithm is based on the dynamic programming principle and 
similar to the Viterbi algorithm (recursive computation of W{cr,t)) and forward 
computation of the BCJR algorithm[13] (recursive computation of P{cr,t)). 

4.2 Syndrome Trellis Representation 

The best way to understand the proposed algorithm is to use the syndrome 
trellis representation of The syndrome trellis is closely related to the Wolf- 
trellis[14] and the BCJR-trellis[13]. The BCJR-trellis is naturally defined from 
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the parity check matrix of a target code and it contains all the codewords of C 
as its label sequences. For our purpose, we define the syndrome trellis which is 
also defined based on the parity check matrix of C. 

The syndrome trellis of C is a directed graph with edge labels. Each node 
in the syndrome trellis is associated with a pair (cr, t) for cr g , 0 <t < n. 
There exists an edge with label 0 between the nodes (cr,t — 1) and {cr,t). In a 
similar way, there exists an edge with label 1 between the nodes {<r,t — 1) and 
(<T © ht,t). The set of the label sequences from (0,0) to (0,n) coincides with 
C. Furthermore, the syndrome trellis contains all the binary vectors of length n. 
For example, the set of the label sequences from (0,0) to (cr,n) coincide with 
the coset of C corresponding to the syndrome cr. More detailed definition of the 
syndrome trellis can be found in [9] [11]. 



4.3 Related Algorithms 

The computation of the weight distribution of a binary linear code using trellis 
structure has started from the work by Desaki et al.[8j. They presented an ef- 
ficient algorithm for computing the weight distribution of a given binary linear 
code using its minimal trellis. Wadayama et al.[9] proposed an algorithm(WWK- 
algorithm) for enumerating the weight distribution of coset leaders for a given 
binary linear code. They computed several weight distributions of coset leaders 
for primitive BCH codes, extended primitive BCH codes and Reed-Muller codes 
with n — k < 28 and n < 128. This algorithm is based on the syndrome trellis of 
a target code and the recursive formula (9). Thus, we can regard the proposed 
algorithm as a natural extension of the WWK- algorithm. Recently, an improved 
algorithm has been presented by Maeda et al.[10j. With their algorithm, they 
disclosed weight distributions of coset leaders for several codes with n < 128 
and n — k < 42 such as the (64,22) BCH-code. Fujita et al.[ll] extended the 
WWK-algorithm to an algorithm for computing the complete coset weight dis- 
tribution. They have computed the complete coset weight distributions of several 
codes such as the (63,39)-BCH code. Their algorithm (FW-algorithm) is based 
on the same principle used in the proposed algorithm. Let E{cr,t) be the the 

weight enumerator for C{cr,t) defined by E{cr,t) = X)ceC(cr t) There is 

a recursive relation on the weight enumerators for cr € E^~^, 1 < t < n: 



E{a,0) = 



1, cr = 

0, cr yf 0”-'= 



E{cr, t) = E{cr,t — 1) + zE{cr (B ht,t — 1). 



( 22 ) 

(23) 



The weight enumerator E{cr,n) is the weight enumerator of the coset correspond- 
ing to the syndrome cr. This recursive formula (23) gives the FW-algorithm. Note 
that this recursive formula is exactly the same as the one used in the algorithm 
by Desaki et al[7][8j. The difference of the two algorithms lies in the trellis where 
the two algorithms work on. Table 1 summarize the algorithms closely related 
to the proposed algorithm. 
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Table 1. Summary of related algorithms 



Target Required recursive formula Reference 



covering radius (9) [9] [10] 

weight distribution (23) [7] [8] 

weight distribution of coset leaders (9) [9] [10] 

complete coset weight distribution (23) [11] 

Per, Prj, Pv,d{0 < T < p) (7) and (9) This section 

average distortion (7) and (9) Appendix 



4.4 Time and Space Complexity of the Proposed Algorithm 

In order to obtain the probabilities {Per, Pud, Prj), we need to evaluate P{cr,t) 
and W{cr,t) for each cr G and 1 < t < n. There are at most n2"“^-pairs 

of (cr,t) and it takes constant time to calculate (7) and (9) for each pair. Hence, 

the time complexity of the proposed algorithm is 0(n2*^^“’’^"), where r = k/n. 

In the above discussion, we assumed that the addition a (B b,a,b G 
which appears in the recursive formulas takes constant time to compute regard- 
less of n — fc. This assumption seems somewhat artificial but the behavior of 
the proposed algorithm implemented in a computer is well described with this 
assumption. This is because most computers can perform addition of several 
bits(32 or 64) in parallel and it is impossible to treat the code with n — k > 64. 

To compute W{cr, t), we only need to keep W {cr, t— 1) for all cr. We thus need 
memory space proportional to log 2 n2"“* for computing W{cr,t). In a similar 
way, memory space proportional to 2"“^ is required for computing P{cr,t). As 
a result, the space complexity of the proposed algorithm is 0 (log 2 n2(^“’’^”). 

A straightforward implementation of the proposed algorithm (without any 
modification) works well when n — k < 25-30 with a today’s typical personal 
computer. The technique devised by Maeda et al.[10] could be used to improve 
this upper limitation. 

The known algorithm for computing the complete coset weight distribution 
is much slower and less space efficient than the proposed algorithm. For example, 
the FW-algorithm[ll] is also slower and less space efficient. Table 2 presents the 
comparison of the time and space complexities of the proposed algorithm, the 
FW-algorithm and a brute force(BF) algorithm. The BF algorithm generates all 
the binary vectors of length n to compute the target probabilities. ^From Table 
2, we see that the proposed algorithm is superior to the FW-algorithm and the 
BF-algorithm in terms of the time and space complexities. 

Appendix 

Average Distortion 

As an application of the proposed algorithm, we here discuss a performance anal- 
ysis method for a vector quantizer using a binary linear code C. The following 
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Table 2. Comparison of time and space complexities 



Time complexity Space complexity 
Proposed 0(log 

FW[11] 

BF Q(n2’*) - 



scenario is supposed. j^From an information source, a binary vector y € F 2 is 
equally likely generated. The vector quantizer finds the nearest codeword to y 
in such a way: x = argmin{di/(j/, a;) : x G C}. j^From the above scenario, the 
average distortion of C is defined by 

D{C) = E[dH{y,x)] (24) 

= ^dH{y,x). (25) 

yeF^ 

Assume the BSC with p = 1/2. Of course, in this case, the received word y is 
independent from the transmitted word x. The quantization process is equivalent 
to MLD over this BSC. Hence, if x belongs to the coset Cv, the distance d//(x, x) 
becomes the weight of the coset, namely wh{v). j^From this observation, we can 
express D{C) by W{cr,n) and P{cr,n): 

= X! WH{v)P{y G CvIO) 

= ^ wh{v) P{y\o) 
veL{C) yeCy 

= W{(T,n)P{(T,n). 

Using the proposed algorithm and the above relation, we can compute D(C) 
efficiently. In Table 3, the average distortions of several codes computed by the 
above algorithm are shown. 



(26) 

(27) 

(28) 



Table 3. Average distortion of several codes 



Code Average distortion 

(24.12.8) Golay code 3.353 

(31.16.7) BCH code 4.282 
(31,11,11) BCH code 6.069 

(63.45.7) BCH code 4.061 

(63.39.9) BCH code 5.595 
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Abstract. Differential geometry and differential algebra are two for- 
malisms which can be used to study systems of partial differential equa- 
tions. Cartan’s characters are numbers which naturally appear in the 
former case ; stairs of characteristic sets are pictures naturally drawn in 
the latter. In this paper, we clarify the relationship between these two 
notions. We prove also some invariant properties of characteristic sets. 



1 Introduction 

Cartan’s characters are numbers (ranks of matrices) associated to analytic sys- 
tems of exterior differential forms. Exterior differential systems come from dif- 
ferential geometry [4,11]. A solution of an analytic exterior differential system S 
is a differential manifold (the integral manifold of S) the tangent space of which 
annihilates the differential system (Cartan-Kahler theorem). The Cartan’s char- 
acters of an analytic exterior differential system S indicate if S has solutions, 
provide the dimension of the integral manifold of S and the number of the arbi- 
trary analytic functions of the highest number of variables the integral manifold 
depends on. Cartan’s characters are geometric objects, in the sense that they 
are invariant under the action of changes of coordinates. Every analytic system 
S of partial differential equations can be transformed as an analytic exterior 
differential system S. The integral manifold of S is however a solution of the 
PDE system E only if the exterior differential system S satisfies an additional 
hypothesis: being in involution. 

A characteristic set is a set of differential polynomials. This notion is defined 
in differential algebra [13,6] which aims at solving systems of ordinary or partial 
differential equations from a purely algebraic point of view. A solution of a 
system of differential polynomials is a point with coordinates in some differential 
field extension of the base field of the polynomials. A characteristic set of the 
differential ideal a generated by a system of differential polynomials E indicates if 
this system has solutions and permits to compute formal power series solutions 
of E. These formal power series may not be convergent in any neighborhood 
of the expansion point whence do not necessarily represent analytic solutions 
of E. The characteristic sets of a are not geometric objects in the sense that 
they depend on some ranking on the sets of the derivatives of the differential 
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indeterminates and that their images under changes of coordinates are usually 
not characteristic sets. The stairs generated by a characteristic set C of a are 
pictures which can be drawn by looking at C . They reflect some properties of C 
and of the solutions of S. 

In this paper, we clarify the relationship between Cartan’s characters and 
stairs of a particular class of characteristic sets. We show how to read the first 
Cartan’s character of the exterior differential system obtained from a PDE sys- 
tem S in the stairs of the orderly characteristic sets of a and we give a conjecture 
for the last Cartan’s character. To support this conjecture, we prove that the 
properties of orderly characteristic sets which give this last Cartan’s character 
are invariant under change of orderly ranking (theorem 2) and under the ac- 
tion of some changes of coordinates (theorem 3). We reformulate also Cauchy- 
Kovalevskaya theorem (which is the base of the Cartan-Kahler theorem) in terms 
of characteristic sets and show its relationship with orderly characteristic sets. 

We assume for legibility that the differential ideal a is prime. The results we 
give generalize to regular differential ideals using [1,2,8, hazard’s lemma]. 

2 Differential Exterior Algebra 

2.1 Cartan’s Characters 

Let S be an exterior differential system. Cartan’s characters give the maximal 
dimension n of integral elements of S. They are obtained by constructing succes- 
sive integral elements of increasing dimension. The Cartan-Kahler [11, Theorem 
15.7] theorem asserts that the integral elements of dimension n form the tangent 
space of some differential manifold of dimension n: the integral manifold of S. 

2.2 PDE Systems to Exterior Differential Systems 

Every analytic PDE system S can be converted to an analytic exterior differ- 
ential system S and conversely [4, page 88]. The differential manifolds solutions 
of S are the integral manifolds of S (provided that S is in involution). 

Let If be a system in the partial derivatives of the dependent variables 
{u “, a = 1, . . . ,n} with respect to the independent variables {cc *, i = 1, . . . ,p}. 
Let Uj denote the derivatives of the dependent variables u°‘, where J denotes 
the multi-index (jd, ■ ■ ■ ^ jk < P- With this notation Uj represents the 

derivative of with respect to (x^’ . . .x^*). The order of J denoted by is 
equal to t. The derivative of the variable Uj with respect to the independent 
variable x’ is denoted Uj^. Let J"? = {x^,Uj}, I < i < p, 0 < < q denote 

the jet space of order q. Assume that 17 is a system of PDE of J‘^ and suppose 
to simplify that S has solutions. 



s 


(1) 


dx* = 0, 0 < # J < q 


(2) 


dS 


(3) 


dx* A duj j = 0 


(4) 
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The exterior differential system S corresponding to S is displayed above, 
where (1) is the system of PDE (the 0-forms of the exterior system), (2) is 
the set of contact forms on J'^, (3) and (4) are the exterior derivatives of (1) and 
(2) respectively. The system S is closed. 

2.3 System in Involution 

In exterior differential algebra, there is a priori no distinction between indepen- 
dent and dependent variables. Therefore, the solutions of S may imply relations 
between the independent variables of S. This we want to avoid. Roughly speak- 
ing, a system S is in involution with respect to x^, ... ,x^ if its solutions do not 
imply any relation between these variables (i.e dx^ A • • • A dx^ yf 0). 

Every exterior differential system can be transformed as a differential system 
in involution by the prolongation process. 

Definition 1. ([4, page 88]). An exterior differential system S is said to be in 
involution with respect to x^,. .. ,x^ if the equations of its integral elements of 
dimension p, do not involve any relation on dx ^, . . . , dx^. 

To check if a differential exterior system is in involution, one has to compute 
the reduced Cartan’s characters. They are obtained by a similar computation as 
the Cartan’s characters but imposing the independence of some variables [3] . 

Theorem 1. (algorithmic criterion for involution) A differential exterior sys- 
tem is in involution if and only if its reduced Cartan’s characters are equal to its 
Cartan’s characters. 

Proof. See [10, pages 467-468]. 

2.4 Prolongation of an Exterior Differential System 

Consider again the exterior differential system S obtained from S. Assume that 
S lies in J* and that S is not in involution. By the [11, Cartan-Kuranishi pro- 
longation theorem] the system S can be prolongated up to order q{S) to obtain 
a system S' which is in involution (we denote q{S) the smallest nonnegative 
integer such that the prolongated system is in involution). In this section, we 
assume that 0-forms are polynomials since there are decisions problems which 
are not algorithmic when one considers wider classes of 0-forms. To prolongate 
S from to one performs the following steps: 

1. Enlarge S with the contact forms which lie in but not in J* and with 
their exterior derivatives (this amounts to consider the equations defining a 
plan element of dimension p) . 

2. Enlarge S with a basis B of the algebraic ideal of the 0-forms which are 
consequences of S and of the independence of dx^,...,dx^. This ideal is 
generated by the coefficients of all the relations (5) lying in the exterior 
(nondifferential) ideal generated by S. 

Cidx' = 0, Cijdx' A dx^ =0, .... 



( 5 ) 
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Algorithmically, one can first compute a Grobner basis G of the exterior 
ideal generated by S for an elimination ordering such that duj ^ dx* , . . . 
(the dots standing for the indeterminates occuring in the coefficients Ck of 
the forms). A basis B is given by the set of the coefficients of the forms of G 
which only involve dx*, . . . and not any duj. 

3. Repeat steps 1 and 2 as long as the system is not in involution. 

2.5 Implementation 

The computation of Cartan’s characters and of the prolongation process were 
implemented by the second author in a MAPLE VI package. This package han- 
dles polynomial 0-forms which are not necessarily solved w.r.t. some set of in- 
determinates (this is an improvement w.r.t. [5]). The necessary computations 
modulo the 0-forms are performed using Grobner bases methods and a MAPLE 
implementation by F. Lemaire of triangular sets algorithms [7]. 

The package involves also specialized algorithmic techniques which replace 
Grobner bases in the case of exterior differential systems coming from PDE 
polynomial systems (these techniques only apply when the exterior system is 
made with forms of degree at most 2) . 



2.6 Example 

Gonsider the system E : Uxx = 1, Uyy = 1. A detailed analysis is given in [3]. The 
differential exterior system obtained from E must be prolonged once in order to 
be in involution. This done, one finds the Gartan’s characters sq = 10 and si = 0. 
The reduced Gartan’s characters are identical. By the Gartan-Kahler theorem, 
S' admits an integral manifold of dimension 2 with independent variables x 
and y which does not depend on arbitrary functions (since si = a 2 = 0). The 
manifold depends thus on arbitrary constants and the equations of the integral 
elements of dimension 2 imply that for one x and one y, only u, Ux, Uy and Uxy 
are undetermined. These are the four constants the manifold of S depends on. 

Remark. For systems as simple as this one there are more efficient methods. 
See in particular [18] for an approach based on Janet’s theory. 

3 Differential Algebra 

Basic notations can be found in [3]. They are very close to that of [6]. Let a be 
a differential ideal of R. 

Definition 2. An autoreduced subset G C a is said to be a characteristic set 
of a if a contains no nonzero differential polynomial reduced w.r.t. a. 

One can associate a set of diagrams to any characteristic set G: there is 
one diagram per differential indeterminate. On each diagram, there are as many 
axes as there are derivations. The leaders of the elements of C are represented as 
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black circles. The area which contains their derivatives is striped. We call stairs 
generated by C the pictures drawn over the diagrams associated to C. 

The derivatives which are not derivatives of any leader of C i.e. the derivatives 
which lie in the nonstriped areas are called derivatives under the stairs of C. 
The nonstriped areas can be represented as a finite, irredundant union of hands, 
either perpendicular or parallel to each axis, called hands under the stairs of C. 
These bands may have different dimensions (e.g. dimension 2 bands are planes, 
dimension 1 bands are lines, dimension 0 bands are points). 

Consider for instance the heat equation Ut = u^x- The situation is very simple 
for there is only one linear equation. This equation already forms a character- 
istic set of the prime differential ideal it generates in R = K{u} endowed with 
derivations w.r.t. x and t. There are actually two characteristic sets possible: 
one such that Ut is the leader of the equation (w.r.t. some nonorderly ranking), 
which generates one stair with two dimension 1 bands and one such that Uxx is 
the leader of the equation (w.r.t. some orderly ranking), with one dimension 1 
band. 




The following example illustrates a more complicated, nonlinear, situation 
where there are only finitely many derivatives (dimension zero bands) under the 
stairs. The system C is & characteristic set w.r.t. the orderly ranking 

* • • > Vxx ^ ^xy ^ '^yy ^ ^xx ^ ^xy ^ ^yy ^ ^x ^ ^y ^ ^x ^y ^ V ^ U. 

of the prime differential ideal [C] '■ in the ring Q{u, u} endowed with deriva- 
tions w.r.t. X and y. Ranks are on the left hand side of the equal signs. Initials 
of the differential polynomials are denominators of the right hand side. 

C = {VxX = Ux, Vy = {UxUy + UxUyU)/{4:U), U^, = 4: U , = 2 u} 

It generates the following set of two stairs: 





The following system (7 is a characteristic set w.r.t. the nonorderly ranking 

■ ■ ■ > Ux > Uy > U > ■ ■ ■ > Vxx > Vxy > Vyy > Vx > Vy > V. 




368 



F. Boulier and S. Neut 



of the same differential ideal a. 

C = {u = Vyy, Vxx = 2 Vyy, Vxy = {Vyy ~ ^yy) /Vy, V yy = 2 V yy 2 Vy ~ 1} 

Here are the stairs generated by C. 




Seidenberg proved [17, page 160] that every abstract solution (taken in some 
differential field) of a differential polynomial system can be translated as a formal 
power series solution. See also the recent [15]. 

Given any characteristic set C of a, one can compute the Taylor expansions 
Ui. These Taylor expansions depend on the chosen characteristic set. Denote Rq 
the ring of the differential polynomials partially reduced w.r.t. C. Seidenberg 
proved [16, page 52] that every algebraic solution of C = 0, Hq yf 0, viewed 
as a system of Rq, extends to a unique differential solution of a. The algebraic 
solution of C = 0, Hq yf 0 can be obtained by assigning nearly arbitrary values 
to the derivatives under the stairs of C (for they are algebraically independent 
modulo a) and assigning to the leaders of the elements of C values which are 
algebraic over them (solving the system as an algebraic dimension zero system) . 

The bands of dimension k under the stairs of C can be viewed as arbitrary 
functions of k variables the computed Taylor expansions depend on. Assume 
that the set of the derivatives under the stairs of C is formed of bk bands of 
dimension k, for 0 < k < m and consider one band of dimension k. Renaming 
the derivations if needed, assume it is parallel to the axes Xi,. . . ,Xk and per- 
pendicular to the hyperplane which contains the axes Xk+i, ■ • ■ ,Xm- Assume it 
crosses this hyperplane at . Then we can say that the values assigned 

to the derivatives lying on that band are given by an arbitrary function f of k 
variables ^...x^ > 2^fc, 0, . . . , 0) = f{x\, . . . , Xk)- Some bands may over- 

lap. In such a situation, the values at the origin of the corresponding arbitrary 
functions and some of their derivatives must be the same. 

It is now tempting to claim that the solutions of o depend on bk arbitrary 
functions of k variables, for 0 < k < m. Such a claim is however problematic 
for the numbers bo, ■■■ ,bm depend on the chosen characteristic set and not on 
the differential ideal. The heat equation provides the simplest example. Its so- 
lution would depend either of one or of two arbitrary functions of one variable, 
depending on the chosen characteristic set. 

This example was already considered by Cartan in [4, page 76] (and for- 
merly by S. Kovalevskaya, to explicit the importance of solving PDEs w.r.t. the 
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highest order derivatives to provide convergence of power series^), who chose to 
consider that the solutions of the heat equation depend on two arbitrary func- 
tions u{0,t) = fo{t) and Ux{0,t) = fi{t) for the following reason: with such 
a choice, if the two arbitrary functions are analytic then the formal power se- 
ries computed from the characteristic set Uxx = Ut are analytic because of the 
Cauchy-Kovalevskaya theorem. If we consider however that the solutions of the 
heat equation depend on only one arbitrary function u{x,Q) = f{x) then the 
formal power series computed from the characteristic set Ut = Uxx may not be 
analytic, even if f{x) is analytic. An example is f{x) = 1/(1 — cc) for which the 
power series only converges for a: = 0. We have formulated Cartan’s analysis in 
terms of characteristic sets but Cartan does not. 

Let’s now reformulate Cauchy-Kovalevskaya theorem [12,10] in terms of 
characteristic sets too. This theorem deals with systems of equations in the 
partial derivatives of unknown functions u\, . . . ,Un w.r.t. independent variables 
t, Xi, . . . , Xm (the independent variable t is distinguished). 

^ d’^Uj 

The indices must be such that 1 < i < n and ko + ■ ■ ■ + km = k < Xj and 
ko < Tj. We claim therefore that, if the <Pi functions were differential polynomi- 
als then this system would form a characteristic set of a prime differential ideal 
w.r.t. some orderly ranking. Indeed, it would be coherent in the sense of [14] for 
there is one equation per differential indeterminate. It would be autoreduced. 
Last, it would be orthonomic (i.e. the initials and separants of all differential 
polynomials would be equal to 1) whence would generate a prime differential 
ideal. □ This characteristic set would generate stairs of a very simple form. The 
set of the derivatives under the stairs generated be the system are formed of 
xi r„ bands of dimension m to which correspond -I- • • • -I- r„ arbitrary 

function /(xi, . . . ,Xm)- Assume we are looking for a solution in the neighbor- 
hood of zero. The Cauchy-Kovalevskaya theorem then states that, if the and 
the f’s functions are analytic in the neighborhood of the expansion point then 
the differential system has a unique analytic solution. One often says that the 
solutions of the system depend of ri r„ arbitrary functions of m variables. 



3.1 Some Invariant Properties of Stairs 

We do not know if Cauchy-Kovalevskaya holds for general orderly character- 
istic sets. We have never heard of any such generalization but we believe it is 
true. This conjecture is strongly enforced by some invariant properties of orderly 
characteristic sets that we prove below. Let C be an orderly characteristic set of 
some differential prime ideal a in R = K{U}. Let N be the set of the derivatives 
under the stairs of C and d be any nonnegative integer. 

^ We would like to thank the referee for this remark. 
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Proposition 1. The set Nd = {w € N \ ordiw < d} constitutes a transcendence 
basis of the field extension Gd = Fr(i?d/ (a H Rd)) over K . 

Proof. This is a very easy proposition (though we do not know any reference for 
it). See [3] for an elementary proof. 

Since two different transcendence bases of Gd have the same number of el- 
ements, we see that the number of derivatives of order less than or equal to d 
under the stairs of G is the same for every orderly characteristic set of a. By 
some combinatorial argument, we may conclude that 

Theorem 2. Let a be any prime differential ideal. The number of bands of high- 
est dimension is the same under the stairs of all orderly characteristic sets of a. 

The theorem above is strongly related to [6, Theorem 6, page 115] on the 
differential analogue of Hilbert’s characteristic polynomial. This polynomial only 
depends on the differential ideal a and not on any ranking. Denote lo this poly- 
nomial. For every sufficiently big d the integer uj{d) provides the transcendence 
degree of Gd over K (with the notation of our proposition 1). Moreover, from 
any orderly characteristic set C of a satisfying [6, item (e). Lemma 16, page 
51], it is possible do extract an explicit formula for uj, which is invariant by any 
change of orderly ranking. Therefore, our theorem follows Kolchin’s theorem if 
all characteristic sets of a satisfy [6, item (e). Lemma 16, page 51]. Our proof 
covers all cases and relies on much simpler arguments. 

We are going to prove that this number is invariant under the action of orderly 
invertible changes of coordinates. Let R = K{ui, . . . ,u„} endowed with deriva- 
tions w.r.t. independent variables xi, . . . ,Xm and R = K{ui, . . . ,u„} endowed 
with derivations w.r.t. independent variables Xi, . . . ,Xm be two differential poly- 
nomial rings. We consider an invertible change of coordinates <f : R ^ R i.e. a 
change of coordinates such that the solutions of any system of differential poly- 
nomials S <Z R can be obtained by first solving <f>S, then applying the inverse 
change of coordinates 4>~^ over the solutions of 4>S. A simple example is given 
hy 4> : w = x-\-y, z = x — y over the differential ring R = K{u} endowed 
with derivations w.r.t x and y. The field K = Q(x,y). The inverse change is 
: X = (w z) /2, y = (w — z)j2. The change of coordinates we consider are 
AT-algebra isomorphisms. They map derivatives to differential polynomials (e.g. 
4>{uxx) = Uww + 2.Uwz + Uzz)- They establish a bijection between the differential 
ideals of R and that of i?, the following proposition shows. 

Proposition 2. For every differential polynomial p € R and every system of 
differential polynomials E of R we have p G \/[E] (fp G ^/\4>E\. 

Proof. Using the differential theorem of zeros. See [3]. 

A change of coordinates f is said to be orderly if it maps any derivative of 
order d to a differential polynomial involving only derivatives of order d. This 
is the case in our example. Let (/> : i? — >■ i? be an orderly change of coordinates. 
Let G (resp. C) be an orderly characteristic set of some prime differential ideal a 
(resp. a = fa). Denote Nd (resp. N d) the set of the derivatives under the stairs 
of G (resp. G) with order less than or equal to d. 
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Proposition 3. The sets Nd and Nd have the same number of elements. 

Proof. A transcendence degree argument. See [3]. 

By some combinatorial argument, we may conclude that 

Theorem 3. If </> is an invertible orderly change of coordinates, a is a prime 
differential ideal and a = 4>a then the number of bands of highest dimension is 
the same under the stairs of all orderly characteristic sets of a and o. 

4 Cartan’s Characters and Characteristic Sets 

Let C be an orderly characteristic set of a differential prime ideal a = [C] : 
of some differential polynomial ring R. When one converts C to an exterior 
differential system S, one does not necessarily get an exterior differential system 
in involution. The linear system S given in section 2.6 provides such an example. 
However there exists a positive integer q{S) > ordC such that the exterior 
differential system S' obtained by prolongation of S is in involution. 



4.1 Reading the First Cartan’s Character 

Define Cg(^s) = {r £ OC \ ordr < q{S)}. The set Cq(^s) not be triangular for 
it may contain different differential polynomials having the same leader. Define 
as any triangular subset of C^(s) having the same set of leaders as C^( 5 ). 
Denote Ci , . . . , Cfc the coefficients obtained at the step 2 of the prolongation 
process when computing S' from C (see section 2.4). 

Proposition 4. We have {C U {ci, . . . , Cfe}) : . 

Proof. See [3]. 



Corollary 1. The vector space spanned by dC U {dci, . . . , dck} over the field of 
fractions G of Rg(^s) / i^q(s)y ' ^^6 vector space spanned by dC'^^gy 

Proof. See [3]. 



Theorem 4. The first Cartan’s character sq of S' is equal to dim minus 

the number of independent variables plus the number of derivatives of leaders of 
C'qf^S) which have order q{S). 

Consider again the system {u^x = ayy = 1}. Here q{S) = 3, dim = 

8 and there are two independent variables. The system forms a characteristic set 
for any orderly ranking. As in section 2.6, the theorem gives sq = 10. 
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4.2 Reading the Last Cartan’s Character 

From the theorem of Cartan-Kahler and theorems 2 and 3, we conjecture 

Conjecture 1. The last nonzero Cartan’s character Si is equal to the number of 
bands of highest dimension under the stairs of all orderly characteristic sets of 
the differential ideal a, provided that f yf 0. 

Consider for instance the heat equation. The last nonzero Cartan’s caracter 
is Si = 2 [4, page 76]. There are two bands of dimension 1 under the stairs of 
the only orderly characteristic set of the differential ideal [u^x ~ Ut]- [5], [18] 

Acknowledgements. We would like to thank the referee for his very construc- 
tive report. 
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Abstract. Let C be a curve of genus 2 that admits a non-hyperelliptic 
involution. We show that there are at most 2 isomorphism classes of 
elliptic curves that are quotients of degree 2 of the Jacobian of C. 

Our proof is constructive, and we present explicit formulae, classified 
according to the involutions of C, that give the minimal polynomial of the 
j-invariant of these curves in terms of the moduli of C. The coefficients of 
these minimal polynomials are given as rational functions of the moduli. 



Introduction 

Among the curves of genus 2, those with reducible Jacobian have a particular 
interest. For instance, the present records for rank or torsion are obtained on 
such curves [3]. Also, it is in this particular setting that Dem’janenko-Manin’s 
method yields all the rational points of a curve [7]. 

The aim of this paper is to give a constructive proof of the following theorem. 



Theorem 1 Lei C he a curve of genus 2 with (2, 2) -reducible Jacobian. Then 
there are at most 2 elliptic curves that are quotients of degree 2 of its Jacobian, 
up to isomorphism. 



In this case, we present rational formulae that give the j-invariant of these elliptic 
curves in terms of the moduli of C. 

The moduli of the curves of genus 2 form a 3-dimensional variety that was 
first described by Igusa in [4]. His construction relies on 4 covariants of the 
associated sextic, denoted by {A, B,C, D); see also [11]. We use the moduli 
(ji) j 2 ,j 3 ) proposed in [5], which are ratios of these covariants. If A is not zero, 
they are given by 



A = 144 ^, 



j2 = -1728 



AB-3C 
A3 ’ 



is = 486^. 



The special case A = 0 is dealt with in Appendix. In the sequel, the char- 
acteristic of the basefield will be supposed different from 2, 3 and 5. We will 
regularly work over an algebraic closure of the initial field of definition of the 
curves. 
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© Springer- Verlag Berlin Heidelberg 2001 




374 P. Gaudry and E. Schost 



Acknowledgements 

The computations necessary to obtain the formulae given here were done on 
the machines of UMS MEDICIS 658 (CNRS - Ecole polytechnique) . We thank 
Philippe Satge for his careful reading of this paper, and Franpois Morain for his 
numerous comments and suggestions. 



1 Preliminaries 

Definition 2 The Jacobian of a curve C of genus 2 is (2,2)-reducible if there 
exists a (2,2)-isogeny between Jac{C) and a product £\ x £2 of elliptic curves. 
The curve £\ is then called a quotient of Jac{C) of degree 2. 

As usual, the prefix (2, 2) means that the kernel of the isogeny is isomorphic to 
Z/2Z X Z/2Z. 

A curve of genus 2 always admits the hyperelliptic involution, denoted l, 
which commutes with all other automorphisms. The following lemma, in sub- 
stance in [4], relates the reducibility to the existence of other involutions. 

Lemma 3 Let C be a curve of genus 2. The set of the non-hyperelliptic invo- 
lutions of C is mapped onto the isomorphisms classes of elliptic curves which 
are quotient of degree 2 of the Jacobian of C, via r 1 — >■ C/r. As a consequence 
the Jacobian of C is (2,2)-reducible if and only if C admits a non-hyperelliptic 
involution. 

Proof. Let t be a non-hyperelliptic involution of C. The quotient of C by t is a 
curve £ of genus 1 [4]; this curve is a also quotient of the Jacobian of C. The 
Jacobian projects onto £, and the kernel of this map is another elliptic curve £' . 
Consequently, the Jacobian of C splits as £ y. £' . 

Let now £ be an elliptic quotient of degree 2 of Jac(C). There exists a mor- 
phism Lp of degree 2 from C onto £. For a generic point p on C, the fiber {ipipf) 
can be written {p, q{p)}, where g is a rational function of p. We define r as the 
map p I— >■ q{p). Since the curve £ has genus one, t is not the hyperelliptic invo- 
lution. □ 

Bolza [1], Igusa [4] and Lange [8] have classified the curves with automor- 
phisms, in particular the curves with involutions. The moduli of such curves 
describe a 2-dimensional subvariety of the moduli space; we will denote this set 
by TL 2 . In our local coordinates, this hypersurface is described by the following 
equation R{ji, j 2 , ja), whose construction is done in [11]. 

R : 839390038939659468275712^3 + 921141332169722324582400000j| 

+ 32983576347223130112000ji J 3 -I- 182200942574622720^34142 

- 3748133675820810244341 42 -I- 9995023135522160640000434142 

+ 9414317882742 - 5622200513731215364342 - 562220051373121536434? 

+ 43381176803481600434? - 719641665757595566080004|42 

- 3886064995091016056832004341 - 11568313814261764?43 

- 313810596094? + 627621192184?42 -I- 139471376044?4| 

- 31381059609414? - 1882863576544?4? - 69735688024?42 

+ 1926124250074583044?43 -|- 941431788274? - 69735688024? 

+ 289207845356544004?4342 4- 1648484718532300804?4342 = 0. 
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We will call reduced group of automorphisms of a curve the quotient of its group 
of automorphisms by Then the points on 'H 2 can be classified according 

to their reduced group of automorphisms Q. 

— t/ is the dihedral group Dq] this is the case for the point on "^2 associated 
to the curve = x® + 1 . 

— G is the symmetric group 64 ; this is the case for the point associated to the 

curve — x. 

— G is the dihedral group U 3 ; the corresponding points describe a curve T> on 
H 2 , excluding the two previous points. 

— C/ is Klein’s group V 4 . The corresponding points describe a curve V on 'H 2 , 
excluding the two previous points; these 2 points form the intersection of T> 
and V. 

— G is the group Z/2Z. This corresponds to the open subset U — 712 —'D — V; 
this situation will be called the generic case. 

In the sequel, we characterize all these cases, except the two isolated points, 
in terms of the moduli of C, describe the involutions of C and compute the 
corresponding j-invariants. 

In the generic case, we introduce two characteristic invariants of the isomor- 
phism classes. Our explicit formuae give an easy proof of the fact that the curves 
with moduli on T> admit a real multiplication by -\/3. Finally, the involutions are 
naturally paired as and these involutions correspond in general to dis- 

tinct elliptic curves; we show that on the curve V, each pair (r, tl) yields a single 
elliptic curve. 

The proof of Theorem 1 could be achieved through the exhaustive study of all 
possible automorphism groups, which would require to consider groups of order 
up to 48. We follow another approach, which relies on the computer algebra of 
polynomials systems. 

This method brings to treat many polynomial systems. While most of them 
can be easily treated by the Grobner bases package of the Magma Computer Al- 
gebra System [10], the more difficult one in Section 2 requires another approach, 
which we will briefly describe. The systems we solved cannot be given here, for 
lack of space; they are available upon request. The study of the group action in 
Section 2 was partly conducted using the facilities of Magma for computing in 
finite groups. 

2 The Generic Case 

In the open set U, the reduced group of automorphisms is Z/2Z. Consequently, 
the whole group of automorphisms has the form {1, t, r, tl\, and Lemma 3 implies 
that there are at most two elliptic quotients. Our goal is to compute a polynomial 
of degree 2 giving their j-invariants in terms of the moduli (ji, J 2 ) Ja)- 

2.1 The Minimal Polynomial from a Rosenhain Form 

As a first step, we obtain the j-invariants from a Rosenhain form. The following 
result is based on [4], which gives the Rosenhain form of a (2, 2)-reducible curve. 
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Theorem 4 Let C he a curve of genus 2 whose moduli belong to H 2 - On an 
algebraic closure of its definition field, C is isomorphic to a curve of equation 

= x{x — l)(x — A)(a: — p){x — v), where p, = , 

and V, p are pairwise distinct, different from 0 and 1. The Jacobian of C 
is {2,2)-isogeneous to the product of the elliptic curves of equation = x{x — 
l)(x — A), where A is a solution of 

iy‘^X‘^A‘^ + 2i^p{-2iy + X)A + p‘^ = 0 . ( 1 ) 



Proof. The curve C has 6 WeierstraB points, and an isomorphism from C to 
another curve is determined by the images of 3 of these points. Let r be a 
non-hyperelliptic involution of C, and Pi, P 2 , P 3 be WeierstraB points on C 
that represent the orbits of r. The curve C' defined by sending {Pi,P 2 ,^ 3 } to 
{0, 1, 00 } admits the equation y'^ = x{x — l)(a: — A)(x — p){x — v). This curve is 
not singular, so A, v, p are pairwise distinct, and different from 0 and 1. 

The image of the involution of C on C is still denoted by r. This involution 
permutes the WeierstraB points of C'; up to a change of names, we have r(0) = A, 
r(l) = p and r(oo) = u. On another hand, r can be written 



T{x,y) 



ax + h wy A 
CX + d' (cx + d)^J ’ 



and since it has order 2, we have a = —d and w = ±(ad — bc)^/"^. The involution 
T is determined by r(0) = A and r(oo) = v, which gives 



T{x,y) 



/ x — X u^y A 
\ X — v' {x — ) ’ 



where u = ±y/ — A). Changing the sign of u amounts to composing r with 
L. The relation r(l) = p then yields the first assertion p = — A)/(l — 12). 

We now look for a curve isomorphic to C', where the involution can be written 
(x,y) I— >■ (—x,y). This means that we consider a transformation 

ax + b 



such that V3(0) = — v?(A), i^(l) = The map 






X — V — u 
X — V + u' 



is such a transformation. As a result, the curve C is isomorphic to the curve C" 
of equation y^ = {x“^ — xl){x^ — — x|), where 



V — u 

V + u 



X3 = (/?(!) 



1 — {v — u) 
1- (ly + u)' 



Xi = ip{oo) = 1 , X2 = 7 >( 0 ) 
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The morphism (x, y) e- {x^,y) maps C" onto the elliptic curve £ of equation 
= (x— l)(x — x|)(x — x|). The curve £ has Legendre form y^ = x(x— l)(x — yl), 
where 

2 2 

3^2 -a^3 ^ M 

(.±yRFVA))"' 

Computing the minimal polynomial of yl proves the theorem. The conditions 
on A, /y, V show that none of the denominators vanishes, and that £ is not 
singular. □ 

Corollary 5 LetC be a curve whose moduli belong toU, and defined as 

above. The j -invariants of the quotients of degree 2 of the Jacobian of C are the 
solutions of the equation p + ci(A, v)j + cq(A, v) = 0, where (cq, ci) are rational 
functions. 

Proof. The previous theorem yields 2 elliptic curves that are quotients of the 
Jacobian of C, and on the open set U, they are the only ones. The polynomial 
equation giving j is obtained as the resultant of Equation 1 and the equation 
giving the j-invariant of an elliptic curve under Legendre form, yl^(yl — l)^j = 
2 ®(yl 2 - yl+ 1)3. □ 

We do not print the values of Cq(A, v) and Ci(A, u) for lack of space. Since the 
moduli (ji,j 2 ,j 3 ) can be written in terms of A and v, an elimination procedure 
could give the coefficients cq and c\ in terms of the moduli. Our approach is less 
direct, but yields lighter computations. 

2.2 The Group Acting on Rosenhain Forms 

In this section, we introduce two invariants that characterize the isomorphism 
classes of (2,2)-reducible curves. 

Theorem 6 Let C be a curve of genus 2 whose moduli belong to H 2 . There are 
24 . triples {X, fJ, = for which the curve of equation y^ = x(x — l)(x — 

\){x— y){x—v) is isomorphic toC. The unique subgroup of order 24 of PGL(2, 5) 
acts transitively on the set of these triples. 

Proof. Theorem 4 yields a triple (Ai,/yi, i^i) that satisfies the condition, so from 
now on, we consider that C is the corresponding curve. Every curve isomor- 
phic to C is given by a birational transformation x 1 — >■ Since this curve 

must be under Rosenhain form, the transformation must map 3 of the 6 Weier- 
straB points (0, 1, 00 , Ai, /ii, on the points (0,1, 00 ). The corresponding ho- 
mographic transformations form a group of order 6.5.4 = 120, and an exhaustive 
search shows that only 24 of them satisfy the relation p. = on the new val- 
ues {X,p,v). Let us denote by {Xi, 24 the corresponding triples. The 

exhaustive study shows that the curve of Rosenhain form {0, 1, 00 , Aj, Pi,Vi\ is 
sent to the curve of Rosenhain form {0, l,oo, Xj,pj,iyj} by successive applica- 
tions on these 6 points of the maps ai{x) = 1/x, ct 2 (x) = 1 — x, 0 - 3 (x) = 
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Oi{x) = x//i. These maps generate a group isomorphic to the unique subgroup 
of order 24 of PGL{2,5), whose action on the triples is given by the 

following table. □ 



map Ui (72 CT3 



A 

V 



- 1 - ^ - 
V ^ A — 1 a 



1 

1 

X 



1- A 

1 - z/ 



{i—X 

u—X 

l-X 



1 



The 24 triples are explicitely given in Appendix. The symmetric 

functions in these triples are invariants of the isomorphism class of C. We will 
now define two specific invariants that characterize these classes. 



Definition 7 Let C he a curve of genus 2 whose moduli belong to H 2 , and let 
{{Xi, fJ.i,Vi)}i<i <24 be the set of triples defined above. We denote by f2 and T the 
following functions: 



\ — ^24 \ 

^ = X/i=l \^ i - 



The following proposition shows that fl and T characterize the isomorphism 
classes of such curves. It is straightforward to check all the following formulae, 
since (ji,j 2 ,j 3 ), (co,ci) and (f2,T) can be written in terms of (X,iy). 



Proposition 8 Let C he a curve of genus 2 whose moduli belong to 7^2, and 
(17, T) defined as above. Lf all terms are defined, then the following holds: 



36(12 -2)T^ , _-216T^(12r + T- 2712) ._ -24312T‘‘ 

(12 -8)(2T- 312)2’ P - (12- 8)(2T- 312)3 ’ 64(12 - 8)2(2T - 312)5 ’ 



The previous system can be solved for {ji,j 2 ,ji) only if the point {ji,j 2 ,jz) 
belongs to 7^2. In this case, 12 and T are given by the following proposition. 

Proposition 9 Let C he a curve of genus 2 whose moduli belong to H 2 , and 
(12, T) defined as above. Lf all terms are defined, then the following holds: 



r = 3/4(162j^ - 483729408jii3 + 1719926784000023 + 671846402iJ3 - 

- 1343692802342 + 162ji4= + 45j| + 352512OO414342 - - Tlflll 

- 69120004342 - 2O414I - 44t42)(3493601284i43 - 298598404342 

+ 191102976000043 + 972 j ^ j 2 - 1107302404i43 - 45 jiji ~ I244I6OO414342 
+ 64 I + i5jt - 3304342 - 564(42 - I 64 ?) / 

((274'( + 1612431364143 + 143327232000043 - 534988804(43 - 94'( 

+ 447897604342 + 4864(42 + 1354i42 “ 238464004i4342 - 1624(42 - Sljlji 

- 34560004342 “ lOiiil - 24(42)(-268738564i43 “ 149299204342 

+ 95551488000043 + 37324804(43 - 9 jij ^ + 41472OO414342 + 3 j ^ + 9 jf 

- 34(42 + 24(41 - 24O). 



42 = (3493601284143 - 298598404342 + I9IIO2976OOOO43 + 9724(42 - 1107302404(43 
- 454142 - 12441600414312 + 64 I + 45i( - 3304(42 - 564(42 “ I 64 O / 
(-268738564143 - 149299204342 + 9555148800004| + 37324804(43 - 9jiji 
+ 4147200414342 + 34 I + 94'( - 34(42 + 24(41 “ 2j^)- 
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Remark The invariants (17, T) are rational functions defined on the variety 7^2 • 
There may exist simpler formulae to express them. 

We now give the coefficients of the minimal polynomial of the j-invariant in 
terms of 17 and T. 

Proposition 10 Let C he a curve of genus 2 whose moduli belong to the open 
set U. The j -invariants of the elliptic quotients of degree 2 of its Jacobian are 
the solutions of the equation + cij + cq, where cq and ci are given below. 

_4096r^(C-32)® ^ _-128r(C^-4Cr + 56f?-512) 

C2(C-8) ’ 42(0-8) ■ 

The previous two propositions lead to an expression of the form j^+ci(ji5 J2> is)! 
+co(ii,i2,i3) = 0, where Ci(ii,j2,i3) and co(ii,j2,i3) are rational functions in 
{ji, j 2 , js)- The denominators in these functions vanish on the two curves T> and 
V, and two additional curves. This last degeneracy is an artifact due to our 
choice of denominators; it is treated in Appendix. 

Computational considerations. To derive the previous formulae, the first 
step is to obtain each of the functions (cq, ci,ji, j 2 , js) in terms of 47 and T. Let 
us consider the case of, say, ji- The indeterminates (A, ji, 17, T) are related 
by the system {17 = 17(A, j^),T = T{X,n),ji = where the right-hand 

sides are rational functions. The relation between (J2,T,ji) is the equation of 
the image of the corresponding rational function. Determining this relation is 
often called implicitization. 

A well-known approach to this question relies on a Grobner basis computa- 
tion. The system can be rewritten as a polynomial system in (A, v, ji, 17, T). 
The relation we seek is the intersection of the ideal generated by Fj^ and the 
additional equation 1 — ZD{\, v) with Q[ji, 17, T], where Z is a new indetermi- 
nate, and D the 1cm of the denominators [2, chapter 3.3]. The intersection can 
be computed by a Grobner basis for an eliminating order. In our case, such com- 
putations take several hours, using Magma on a Alpha EV6 500 Mhz processor. 

We followed another approach to treat this question. The system we consider 
defines a finite extension of the field Q(l7, T), and the relation we seek is the 
minimal polynomial of ji in this extension. In [12], the second author proposes 
a probabilistic polynomial-time algorithm to compute this minimal polynomial; 
its Magma implementation solves the present question in a matter of minutes. 

Finally, once ji, j2 and j'3 are obtained in terms of (17, T), we have to solve 
the system in Proposition 8 for (17, T). This system defines a finite extension of 
Q(j 1)!2)- Since 17 and T are know to be functions of (ji, J2> J3), J3 is a primitive 
element for this extension, and our question is reduced to compute 17 and T 
using this primitive element. The methods in [12] apply as well in this case, and 
give the formulae in Proposition 9. 

3 The Curve 

We now turn to the first special case, the curve T> defined in the preliminaries, 
and prove Theorem 1 in this case. The computations turn out to be quite simpler. 




380 P. Gaudry and E. Schost 



mainly because this variety has dimension only one. Our formulation also leads 
to additional results concerning the endomorphism ring of such Jacobians. 

Theorem 11 Let C he a curve of genus 2 whose moduli belong to T>. There are 
two elliptic curves that are quotients of degree 2 of Jac{C). 

Proof. As in the generic case, we start form a characterization of those curves 
due to Igusa [4]. 

Lemma 12 Let C he a curve of genus 2. The reduced group of automorphisms 
of C is Z ?3 if and only if C is isomorphic to a curve of equation = x(x — 
l)(cc — A)(a; — iT){x — v), p. = and u = 1— with A different from 0, 1 and 
(l±y3)/2. 

If C is as above, its reduced group of automorphisms can be explicitely written. 
In the following table, u denotes ±\/A^ — A + 1. 



map order 

Id (x,y) 1 -^ {x,y) 1 

Ti (x,y) !->■ ((a-i)I+i)3) 2 

^2 (X,y) ^ (A.fl-A)0 2 

pi{x,y)^ {1- 3 

P 2 (a^,y) ^ (t^, (T^) 3 



For each of the involutions t\, T 2 , T 3 , we repeat the construction done in the 
proof of Theorem 4: we associate to each a pair of elliptic curves. 

To this effect, we determine an isomorphism tp from C to a curve where r* 
becomes (x,y) 1 — {—x,y), and denote by x\ = 1 , X 2 and x^ the values taken by 
ip at {0, 1, 00 }. The means that the curve C is isomorphic to the curve y"^ = — 

l){x‘^—X 2 ){x‘^—x‘^), and the elliptic curves we look for are = {x—l){x—X 2 ){x— 
x§), whose Legendre forms is = x{x—l){x — A), where A = {x\ — x\)/{l — x1). 
These computations are summarized in the following table. 



involution ip 



Tl 

T2 

T3 



X I— >■ 



X I— >■ 



( — 1 — u)rc+A 
( — l+u)a:+A 
(A— 1 — ti)a:+l 
(A— l+it)a:+l 



X 1-^ 



x—X—u 



X 2 X 3 A 

— 1 — u+A X—u A 1 

— 1+ii+A A+ii ^ A(A— 1+ti)^ 

— 1 — u+A X—u A 1 

-1+m+A A+m 213 — a(A-1+«)2 



Let A' be the conjugate of Ai, obtained when u is replaced by —u. The elliptic 
curves corresponding to Ti and Tii. have Legendre parameters Ai and A', and we 
have A 2 = A 3 = 1/A']^, A '2 = A 3 = 1/Ai. Since changing A^ to its inverse l/A^ 
leaves the j-invariant unchanged, there are only 2 isomorphism classes of elliptic 
quotients. □ 
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We now give generators of the ideals defining the curves in T>, in terms of their 
moduli. We follow the Grdbner basis approach we already mentioned; Magma’s 
Grobner package takes about a minute to treat this simpler problem. 

Lemma 12 gives the moduli in terms of A, and these relations can be expressed 
by a polynomial system Fxi in Q[ji, J 2 ) J 3 ) A]. The ideal defining the curve T> 
is obtained as the intersection of the ideal generated by Tb and 1 — ZD{\) 
with Q[ji, j 2 , js], where Z is a new indeterminate, and -D(A) the 1cm of the 
denominators of (ji, j 2 ,j 3 ) expressed in terms of A: 

7j| - 57600j3iii2 + 8991iii2 + 2646j| - 34774272j3ji - 22394880^3^2 

-9953280000J3 + 65610ji + 7290^2 - 4901119488^3 = 0, 
jiji - 297jii2 - 90j2 - 725760jij3 + 172800i2j3 

-2187ji - 243j2 + 169641216^3 = 0, 

— 81ji + 21jii — 9j2 + 5ji j2 + 864000^3 = 0. 

As in Section 2, the previous proof yields the minimal polynomial of the Leg- 
enbre parameters A, and then of j-invariants in terms of A, under the form 
+ ci(A)j + co(A). Eliminating A is a simple task, which gives the formulae: 

_ 3 -85221iij2 - 69228ji - 6621^2 + 6054374400j3ii + 692576000^342 - 595206144043 
“ 8 43(470542 + 2149241 - 129816) ’ 

_ 237341 + 14124142 + 2 IO 42 + 336960004341 + 432 OOOO 4342 - 24606720043 

~ ~ 43(542 + 2741 - 108) ■ 



The points were a denominator vanishes must be treated separately, in Ap- 
pendix. The previous results make the proof of the following corollaries easy. 



Theorem 13 LetC be curve of genus 2 whose moduli belong to T>. Its two elliptic 
quotients are 3-isogeneous. 

Proof. We use the same notation as in the previous proof. Let Si be the elliptic 
curve associated to the involution ti, under the form = x{x — l)(a: — Ai). Its 
3-division polynomial is ifs{x) = -I- (— 4Ai — 4)a:^ -I- 6 Aia:^ — A\. The linear 

form Sz{x) = 3x -I- A — 2{u + 1) divides '>p 3 {x) and corresponds to a subgroup of 
£\ of order 3. Using Vein’s formulae [13], we can explicitely determine a curve 
3-isogeneous to Si, of the form = x^ + 02 X^ + 04 X + Oq, where 02 , 04 , Og are 
defined by 



02 = —{Ai + 1), 04 = Ai — 5t, og = 4(Ai -I- l)t — 14xg(t — a^o + ^ 1 ); 

with xg = {2{u + 1) — A)/3, t = 6 xq — 4(Ai -|- 1 )xq -I- 2Ai. It is straightforward 
to check that the j-invariant of this curve is A'l. □ 

Corollary 14 Let C be curve of genus 2 whose moduli are on T>. The endo- 
morphism ring of the Jacobian of C contains an order in the quaternion algebra 
(^). In particular, it admits a real multiplication by -\/3- 
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Proof. The Jacobian of C is isogeneous to £ 1 X^ 2 , where £\ and £2 are 3-isogeneous 
elliptic curves. Let us denote by I : — >■ 1 P 2 a degree-3 isogeny, and X its dual 

isogeny. Let O be the ring 



O = 



( f a VSb\ 

\ V ySc d ) 



where a,b,c,d€ 1 



The map sending 



/ a VSb\ 
\-\/3c d ) 



to the endomorphism of £i x £2 given by (P,Q) !->■ 



([a]P -I- [b]IQ, [c]XP + \d\Q) is an injective ring homomorphism. Multiplication 
by '/S is for instance represented by the endomorphism (P, Q) 1 — >■ {IQ,XP). □ 



4 The Curve V 



This is the second special case; as previously, the study is based on a result due 
to Igusa. 

Theorem 15 LetC be a curve of genus 2 whose moduli belong to V. There exist 
two elliptic curves £\ and £2 such that V is (2,2)-isogeneous to £i x £i and 
£2 X £ 2 - These elliptic curves are 2-isogeneous. 

Proof. The following result is taken from [4]. 

Lemma 16 Let C be a curve of genus 2. The reduced groups of automorphisms 
of C is V 4 if and only if C is isomorphic to the curve of equation = x(x — 
l)(a; -I- l)(a; — A)(x — 1/A), where A is different from 0, -1 and 1. 

If C is as above, its reduced automorphisms can be explicitely determined; in 
the following table, u denotes ±-\/l — A^ and u denotes ±VA^ — 1. 



map order 

Id (x,y) {x,y) 1 

n (!,!/)■.+ 2 

0 ( 1 ,!/) ►2(13) 4 

We follow the same method as in the proof of Theorem 11: for each Tj, we 
make up an isomorphism ip from C to a curve where r* becomes (x, y) 1 — (—a;, y). 
This curve is then isogeneous to the elliptic curve y^ = {x — l)(a; — x\){x — x§), 
whose Legendre forms are y^ = a:(a: — l)(a; — 4). This leads to the following table. 



involution p X 2 x^ 



T\ 

T2 



{l-u)x-\ A-I-m-1 1-u a 

(l-t-u)a: — A A— -u— 1 1+u ^ 

( X 'u)x-t-l A-t“2t — 1 \4~u A 
( — A-t-'u)a:-t-l A— -u— 1 X—u ^ 



4 j 

(A-l-«)2 '^1 — P 

A— 1 T CA — 

A(A-1— a)2 >^2 — D4 p 



X I— >■ 
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The invariants J\ and J2 do not depend on u. This implies that the Jacobian of 
C is (2,2)-isogeneous to the products Si x Si and S 2 x S 2 , and consequently, also 
to Si X S 2 - Finally, the curves Si and S 2 are 2-isogeneous, since ( Ji, J2) cancels 
the modular equation of degree 2. □ 

Following the same method as in the previous section, we obtain an ideal 
defining the moduli of such curves: 

32jij| - 27jij2 - 54j| + 4423680jij3 + 14745600^243 - 1343692843 = 0, 

6442 - 78643200414243 + 2434142 - 378ji + 318504964i43 - 884736O4243 

-3623878656000041 + 12093235243 = 0, 

341 — IO4142 + I842 — 46O8OOO43 = 0. 



Their j-invariant are solution of the equation 4^ + cij + cq, where cq and ci are 
given by the following formulae: 

_ 9 34142 - 24I + 186624043 + 2II2OO4341 + 64OOO4342 
^ 4 43 (-243 + 7841 + 2042) ’ 

^ 25600004342 + 5I4142 + 3O4I + 768OOO4341 + I86624OO43 

43(-243 + 7841 +2042) 



5 Examples 

In this section, we present examples, mostly taken from the literature, that show 
the use of our results. 

5.1 The Generic Case 

Let C be the curve defined over Q by the equation — x — 1. 

Its moduli are 

23 X 32 X 5 X 13 , _ 23 X 33 X 11 X 13 , _ 3^ x 53^ 

^ > i'2 - ^ - 28 X 375 ■ 

They belong to the open set U C "^2, so Jac(C) is isogeneous to a product of 
two elliptic curves. On this example, finding these curves through a Rosenhain 
form requires to work in an extension of Q of degree 24. Propositions 9 and 10 
directly give: 

_ 2^4 X 5® X 373 _ 28 X 3^ X 47 

~ 532 ’ ~ 53 ’ 

and the j-invariants of the elliptic curves are defined on Q(i) by 

2^ X 34 X 47 , 28 X 7 X 11 X 181 . 

•' 53 53 

Notice that 53 divides the discriminant of the curve, it is no surprise to see it 
appear in the denominator of j . 
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5.2 The Curve 'D 

The following example is taken from [6], where Kulesz builds a curve admitting 
many rational points. Let C be the curve defined on Q by the equation 

= 1412964(x2 - x + 1)^ - 8033507x2(x - l)^. 



Its moduli are 

_ 32 X 149 X 167 X 2392 X 3618470803 x 33613^ 

~ 7572 X 768321547572 ’ 

33 X 2392 X 336132 X 195593 x 31422316507485410373257 
“ 7573 X 768321547573 ’ 

222 X 3I7 X 5® X 76 X 473 X 893 X 239'* x 33613* 

~ 7573 X 768321547573 ' 

We check that they belong to the curve V, so the reduced group of automor- 
phisms of C is D 3 (the construction of this curve in [6] already implies this 
result). Again, writing down a Rosenhain form for this curve requires to work 
in an algebraic extension of Q. Our formulae readily give the j-invariants of the 
quotient elliptic curves: 

239 X 33613 x 843335633 193 x 673 ^ 239 x 3493 x 33613 

~224 X 3* X 59 X 72 X 473 X 89 “ 28 x 3*2 x 53 x 7^ x 47 x 893 ■ 



5.3 The Curve V 



In the paper [9], Leprevost and Morain study the curve Cg defined on Q(0) by 
the equation = x(a;‘* — 6 x^ + 1), with the purpose to study sums of characters. 
Its moduli are 



3i 



144 



96*2 - 20 
(3612 -h 20)2’ 



J2 



-3456 



2702 - 140 
( 302 -^ 20 ) 3 ’ 



03 



02 - 4 2 

243-1 — . 

(302 + 20)5 



We check that they belong to the curve V, so the reduced group of automor- 
phisms of C is V4. This yields the j-invariants of the quotient elliptic curves: 



3 



(30 - 10) 

( 0 - 2)(0 + 2)2 



and 



3' = 64 



(30 -k 10)3 
(0 + 2 )( 0 - 2 ) 2 - 



Notice that the curves Eg and Eg given in [9] = x{x^ ± 4a; -k 2 — 0), have 

the same invariants j' . The other quotient curves, with invariant j, admit the 
equation y2 = ± 4a; -k 2 -k 0). 



Appendix: Formulary 



To complete the previous study, we give formulae describing the following cases; 
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— The reduced group of automorphisms Q is neither D3 nor V4, nor Z/2Z: this is the 
case for the two points 2. (a) and 2.(b) below. 

— A denominator vanishes. On the curve T>, this happens at a single point, treated 
in 2.(c); in the generic case, two curves must be studied in 2.(f) and 2.(g). 

— The covariant A vanishes, so the moduli (^1,^2, js) are not adapted. We choose 
two other invariants and go through the same exhaustive process. 



All these formulae are gathered as an algorithm, taking as input a curve of genus 2, 
with (2,2)-reducible Jacobian, that outputs the minimal polynomial of the j-invariants 
of the elliptic quotients. 



1 . 

2 . 



Compute the covariants A, B, C, D,R oi C given in [4], and check that R = Q. 

If A / 0: compute ji, j2, js- 

(a) If ( 41 , 42 , 43 ) = (§§,-!§§, 256 toooo )’ reduced group of automorphisms 

is De; return j{j — 54000). 

(b) If ( 41 , 42 , 43 ) = (— ^, 20o1foo ) ’ then the reduced group of automorphisms 



is ©4; return j — 8000. 

(c) If (41,42,43) = (^ifif , 



81449284536 



57798021931029 



group of automorphisms is D$; return j + 



4 

J - 



then the reduced 

8094076887461888 



658503 ^ 57289761 

(d) If (ji,j 2 ,j 3 ) cancel the polynomials defining then the reduced group of 



automorphisms is D 3 ; return j as computed in Section 3. 

(e) If (ji,j 2 ,j 3 ) cancel the polynomial defining V, then the reduced group of au- 



tomorphisms is V4; return j as computed in Section 4. 

(f) If (41,42,43) satisfy 33177643 - 42 - 24jij2 - 144j? = 0 and 9ji + 42 = 0, 

then the reduced group of automorphisms is Z/2Z; return ~ 

260919263232J3 
J2 + I2jl 

(g) If (41,42,43) satisfy + 54 - 322486272 jljs + 481469424205824j| = 0 and 
I841 + 542 = 0, then the reduced group of automorphisms is Z/2Z; return 
4 ’^ + Ci 4 + Co, where 



125 (- 4 ^ - 244iJ2 - 144jl + 1625702443)^ 

9559130112 4| 

(1625702443 - 4 ^ - 244ii2 - 1444;)(2723051520j3 - 2S9j^ - 69364ij2 - 416164^) 

206477210419241 



(h) Else, we are in the generic case, and no denominator vanishes; return j as 
computed in Section 2. 

3. The case A = 0 

(a) If B = 0 and C® = 4050000B®, the reduced group of automorphisms is Z/2Z; 
return (j — 4800) (4 — 8640). 

(b) If C = 0 and B® = 303750074^, the reduced group of automorphisms is Z/2Z; 
return (j — 160) (4 + 21600). 

Compute the invariants f-2 = 1536 

(c) If = (1/576000,-460800), the reduced group of automorphisms is V4; 

return + 7200/ + 13824000. 

(d) If (ti,t 2 ) = (-1/864000,-172800), the reduced group of automorphisms is 
B3; return f + 552004 - 69984000. 

(e) The reduced group of automorphisms is Z/2Z. Compute 

-238878720000ti + 1555200t2ti + 7titi + 2t2 
^ 477757440000ti + 2073600t2ti + - t2 “ ^2 

then Co and ci given in Section 2; return + C14 + cq. 
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Appendix: The 24 Triples 

The following table gives the full list of the triples defined in Theorem 6. 









-u 






— X-\-u 


-A + I. N 


(- 


• Ai.'-|-2ja'— 1 


-X-i-u 


(-A + I. N 








•1 ’ 


V u-1 ’ 


Xu-X — u-\-l 


’ Ai^-A / 




u-1 ’ 


u-1 ’ 


Ai^-A f 


( 


Xu— 


A u- 


-1 


■.-In 


(\ 


-X-\-u A- 


-1/ \ 


( 


-Xu-\-2u—l 




A 




Xu — 


u ’ Xu 


-u ’ 


A-1^ 




l/_l 5 Xu- 


2u-\-l / 




u-1 ’ 


— A+1, 


-u-\-l J 


/ Xiy 


-X 


u-1 


Xu- 


-A — 1/+1 \ 




-X-\-u 


X-u \ 




/ A-1 Xu- 
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Abstract. We consider the design of phase shift keyed space-time coded 
modulation for two antenna systems based on linear codes over rings. 
Design rules for constructing full diversity systematic space-time codes 
based on underlying existing algebraic codes were first presented by Ham- 
mons and El Carnal in 2000. We reformulate and simplify these design 
rules, resulting in the condition that the characteristic polynomial of 
the parity generation matrix must be irreducible. We further extend the 
results to non-systematic codes. These results yield a recursive construc- 
tion based on the Schur determinant formula. The resulting block codes 
are guranteed to provide full diversity advantage. In addition, the code 
construction is such that the corresponding parity check matrix is sparse, 
enabling the use of the powerful Sum-Product algorithm for decoding. 



1 Introduction 

Wireless access to data networks such as the Internet is expected to be an area 
of rapid growth for mobile communications. High user densities will require very 
high speed low delay links in order to support emerging Internet applications 
such as voice and video. Even in the low mobility indoor environment, the dele- 
terious effects of fading and the need for very low transmit power combine to 
cause problems for radio transmissions. Regardless of advanced coding tech- 
niques, channel capacity remains an unmovable barrier. Without changing the 
channel itself, not much can be done. Fortunately, increasing the number of an- 
tennas at both the base and mobile stations accomplishes exactly that, resulting 
in channels with higher capacity. Such systems can theoretically increase capac- 
ity by up to a factor equaling the number of transmit and receive antennas in 
the array [2, 3, 4, 5, 6]. There are currently two main approaches to realizing the 
capacity potential of these channels: coordinated space-time codes and layered 
space-time codes. 

Goordinated space-time block codes [7,8,9] and trellis codes [10,11,12,13,14] 
are designed for coordinated use in space and time. The data is encoded using 
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multi-dimensional codes that span the transmit array. Trellis codes are typically 
decoded using the Viterbi algorithm. Such codes are efficient for small arrays, 
and can achieve within 3 dB of the 90% outage capacity rate calculated in [3]. 
A serious obstacle to extension to larger arrays however is the rapid growth 
of decoder complexity with array size and data rate: the number of states in 
a full-diversity space-time trellis code for t transmit antennas with rate R is 

Another approach uses layered space-time codes [15,16], where the channel 
is decomposed into parallel single-input, single-output channels. The receiver 
successively decodes these layers by using antenna array techniques and linear 
or non-linear cancellation methods. 

In this paper, we consider only the design of coordinated space-time codes 
achieving full space diversity over fading channels. Early work on space-time 
code design was based on considering the minimum rank of a difference matrix 
with entries found by determining all possible complex differences obtained be- 
tween all valid codeword sequences [10]. One problem with constructing such 
codes in this manner was that the code design was not performed over a finite 
field, resulting in rather ad-hoc design methods, or codes found by exhaustive 
computer search. This problem was addressed in [1] whereby the minimum rank 
criteria was related back to a binary rank criteria such that codes satisfying the 
binary rank criteria were shown to provide maximum diversity advantage. Design 
rules for binary space-time codes based on phase shift keyed (PSK) modulation 
were presented in [1] and were further extended in [17] for quadrature amplitude 
modulation (QAM) constellations. In this paper, we expand on the ideas pre- 
sented in [ 1 ] in designing binary systematic space-time codes which achieve full 
diversity advantage using binary-PSK (BPSK). The codes are based on ensuring 
that the characteristic polynomial of the parity generator matrix P is irreducible 
over F 2 . We give a recursive code design procedure to construct such matrices. 
The construction is shown to result in a sparse parity check matrix H similar 
to that of irregular low-density parity check (LDPC) codes. We then construct 
codes over Z 4 based on the modulo 2 projection of the Z 4 code matrix for use 
with quadrature-PSK (QPSK) modulation. 

2 Preliminaries 

2.1 Channel Model 

We consider a single-user wireless communication link consisting of t transmit 
antennas and r receive antennas. The matched filtered signal yjk G C for receive 
antenna j = 1, 2, . . . , r at time k = 1,2, . . . , N is given by 

t 

Vjk — ^ ^ (1) 

i=l 

where Cik is the code symbol transmitted from antenna i = 1,2,. .. ,t at time 
k; jji is the complex gain coefficient between transmit antenna i and receive 
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antenna j; rijfc S C is a discrete time circularly symmetric complex Gaussian 
noise process, independent over space and time, E[njknjk] = and E[njknjik'] = 
0 for j yf f and/or k yf k' . E[A1] denotes the expectation of a random variable 
X. Using matrix notation, the received r x N matrix y = (yjk) is given by 
y = UcH-n where we define the matrices n = (rijk) and F = {'jji). The complex 
matrix c = (cjfc) is referred to as the transmitted space-time codeword. Note that 
this implies that the channel matrix F is held constant for each codeword, but 
may vary from codeword to codeword. This is usually referred to as quasi-static 
flat-fading. 



2.2 Design Rules for Space-Time Codes 



Design rules for space-time codes were presented in [10]. Let c be a valid space- 
time codeword and let the erroneous codeword e be any other valid codeword 
that may be chosen at the receiver in preference to the transmitted codeword 
c. Let B(c,e) = e — c be the codeword difference matrix. We define the matrix 
A(c,e) = B(c, e)B*(c, e) where * denotes the Hermitian (conjugate transpose) 
operation. Tarokh et al. [10] showed that for a quasi-static flat fading channel, 
the pairwise error probability is upper bounded as follows 



P(c,e) < 



n-=i(l + W4iVo)^ 



(2) 



where Ai denotes the non-zero eigenvalues of the matrix A(c,e). If A(c,e) has 
rank s, then it has exactly s non-zero eigenvalues and (2) can be bounded by 



i^(c,e) < j^nA,j (U,/4Ao)-^" . (3) 

The resulting space-time code results in a coding advantage of (A 1 A 2 . . . 
and a diversity advantage of rs. The main gain to be obtained from a space-time 
code is the diversity advantage, which is generally optimised prior to considering 
the coding advantage [10]. The reason for this is that the diversity advantage 
governs the asymptotic slope of the bit error rate (BER) vs E\j /Nq performance 
curve while the coding gain is responsible for shifts in the performance curve. 

Criterion 1 (Rank). In order to obtain maximum diversity advantage, the 
matrix B(c, e) has to he of rank t (full rank) over all valid codeword pairs c yf e. 



Criterion 2 (Determinant). In order to obtain maximum coding advantage, 
the product (n:=i Ai)^/® has to be maximised over all valid codeword pairs c yf e. 

These design rules were also extended for space-time codes operating in Rician 
channels and for fading channels with correlated coefficients [10]. 
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2.3 The Stacking Construction 

Let Mmxn(]F') denote the set of all m x n matrices with elements from the field 
< F, ©, 0 >. Consider a (non space-time) rate 1/2 binary systematic linear block 
code C with generator matrix 



G = [I|P] G Mfcx2fe(F2), 



(4) 



where I is the k x k identity matrix and P is a fc x A: generator matrix for the 
parity bits only. For a given information (row) vector x = (xi,X 2 , ■ ■ • ,Xk), the 
output codeword consists of k information bits xl followed by k parity bits xP. 

A space-time code for a two-antenna system can be constructed from C in 
which the systematic bits and the parity bits are transmitted across the first and 
second antenna respectively. The resulting 2 x k space-time codeword is 



c = 



xl 

xP 



(5) 



This is the BPSK stacking construction from [1] (assuming F 2 is mapped to 
an antipodal constellation for transmission). It was also shown in [1] that the 
stacking construction achieves full spatial diversity if and only if P and I © P 
are simultaneously full rank over F 2 . However no further guidance (other than 
manually checking these two binary rank conditions) was given for code design. 
The authors went on to present a binary code satisfying the above condition, in 
which the underlying systematic binary code was an expurgated and punctured 
version of the Golay code t/ 23 - 



3 Eigentheory Based Design Rules 

We now investigate conditions on the spectral properties of P such that P and 
I©P are both guaranteed to be full-rank. This will in turn allow us to give a new 
code construction. The design rules apply for codes which use BPSK modulation. 
In Sect. 5.2, we “lift” these properties to design QPSK space-time codes which 
also guarantee maximum diversity advantage. Using our approach we can easily 
extend our construction to non-systematic codes. 

Let P G Mfcxfc(F) with spectrum cr(P) = {Ai,A 2 ,...}. By convention, we 
shall consider the eigenvalues Aj G F where F C F. F is an algebraic closure of 
F^, thus |cr(P)| = k counting multiplicities. Under our closure convention we 
can easily show that [18, Theorem 1.1.6 pp. 36] holds in the finite field case. For 
reference, we reproduce the theorem here as a lemma. 

Lemma 1. Let P G Mfexfc(F) and A G cr(P). Let f G F[x] be a polynomial with 
coefficients in F. Then /(A) G <t(/(P)). 

^ In fact, all we require is an extension field constructed by adjoining the roots of all 
polynomials of degree k. Without this convention, P may not have any eigenvalues 
at all. 
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Application of this lemma leads directly to our first main result. 

Theorem 1 (Rank Criterion). The binary matrices P and I © P are simul- 
taneously full-rank if and only if the characteristic polynomial o/P is irreducible 
over F 2 . 

Proof. Consider the function f{x) = 1 + x with unique inverse f~^{y) = y — 1. 
By Lemma 1, A G cr(P) and 1 © A G a{l © P). Thus we have that 1 G cr(P) iff 
0 G cr(I © P) and 1 G cr(I © P) iff 0 G cr(P). Thus the characteristic polynomials 
of P and I © P are irreducible, i.e., do not have any roots equal to 0 or 1, iff P 
and I © P have full rank (since a member of Mfcxfc(F) has full rank iff 0 is not a 
root of its characteristic polynomial) . □ 

Theorem 1 can be illustrated via the following example. Table 1 lists some 2x2 
binary matrices P, I © P and their corresponding determinants. These four 

Table 1. Binary 2x2 matrices and their determinants. 



P I © P (det P, det(I © P)) 



'1 1 
0 1 




'0 1' 
0 0 


(1,0) 


'1 1 
1 1 




'0 1' 
1 0 


(0,1) 


b o' 
1 1 




'1 o' 
1 0 


(0,0) 


'1 1 
1 0 




'0 1' 
1 1 


(1,1) 



scenarios cover all possible combinations for the determinants of P and I©P. It 
can be seen that in the last example both determinants are nonzero and hence 
this case satisfies the conditions to ensure full spatial diversity. It is easily verified 
that the characteristic polynomial for both these matrices is + 1 + 1 which is 
irreducible over F 2 . In fact, these are the only two members of M 2 x 2 (F 2 ) with 
this property. 

Of course we do not need to limit ourselves to M 2 x 2 (F). In the general case, 
if P G Mfexfe(F), then for the systematic space-time code to achieve maximum 
diversity, the characteristic polynomial pff) of P must be of the form 

where each <f>i is irreducible over F. In fact, valid 3x3 matrices would have 
characteristic equation of degree three, again irreducible over GF(2) (i.e., A^ + 
A^ + 1 and A^ + A + 1). The larger matrix size would result in a greater number 
of binary 3x3 matrices having irreducible characteristic equation over 2x2 
matrices (2 possibilities). 
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4 Code Design 

Since we want to be able to generate space-time block codes which guarantee full 
diversity for variable blocklengths, one approach is to design space-time block 
codes using 2x2 matrices given in the last row of Table 1. As these matrices 
satisfy Theorem 1 they can be used as building blocks for generating codes of 
longer blocklength. We use the Schur determinant formula [18] to recursively 
construct block upper triangular parity generator matrices P which satisfy the 
condition given by (6). Our construction is summarised in the following theorem, 



Theorem 2 (Schur Construction). Let k > 2 and P G Mfexfc(lF2) be a block 
upper-triangular parity generator matrix, defined as follows 



P = 



P* X 

0 



p 



rj 



(7) 



where 0 denotes all-zero entries below the diagonal, X denotes arbitrary binary 
entries above the diagonal and the matrices P*, P2, • . • , P*, I < k, are binary 
square matrices (not necessarily equal size) with irreducible characteristic poly- 
nomials. The resulting space-time code given by the stacking construction (5) 
achieves full spatial diversity. 



Proof. Partition P G Mfcxfc(®') as follows 



Pii P12 
P21 P22 



(8) 



such that for each submatrix we have Pn of size p x p, P 12 of size p x q, P 21 
of size q X p, and finally P 22 of size q x q where p = q = k/2 for k even and 
p = \ k/2\ , q = p-\-l for k odd. The Schur determinant formula [18, Section 0.8.5] 
gives detP = det Pn det(P 22 — P 21 P 11 P 12 ) (the term in brackets is the Schur 
complement). Thus, it is immediately clear that for P to be non-singular, we 
require Pn to be non-singular. We have some freedom in determining suitable 
sub-matrices to ensure that the Schur complement is also non-singular. Setting 
P21 = 0 gives detP = detPn det P 22 and therefore we are free to choose P12 
provided P22 is non-singular. Thus we let 



P = 



Pii X 
0 P22 



(9) 



where we require that Pn and P22 are non-singular. We now simply apply 
this procedure (9) recursively to the submatrices Pn and P 22 ) until we obtain 
2 X 2 or 3 X 3 sub-partitions. For the case where we obtain (2 x 2) Pn and 
P22 diagonal sub-partitions, we set these to one of the matrices with irreducible 
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characteristic polynomials discussed earlier (last example in Table 1). Similarly, 
any 3x3 sub-partitions are set to any binary matrix having irreducible charac- 
teristic polynomial. This ensures that not only is P non-singular, but that I © P 
is also non-singular. □ 

As an example, the following 4x4 generator P constructed from 2x2 building 
blocks guarantees full diversity. Both the matrices P and I © P are full rank. 

■f 1 1 0 ] To 1 1 O' 

P= 1000 1100 

0 0 0 1 ’ 001 1 
0 0 1 ij [o 0 1 0 

An example of a 6 x 6 generator P constructed from 2 unique 3x3 building 
blocks having irreducible characteristic equation is 

'0 1 1 0 0 r 
001010 
100000 
^ ~ 0 0 0 0 1 1 ■ 

000100 

000010 

Again we can verify that P and I © P have full-rank. The recursive design 
discussed thus allows variable blocklength codes to be constructed. However, 
the code design is limited in the sense that it can only be applied to systematic 
BPSK modulated codes. In the next section, we extend the code design to deal 
with these limitations. 



5 Further Extensions 



5.1 Non-systematic Codes 



Replacing the identity component I in (4) with some other k x k matrix M, a 
non-systematic space-time code results. The corresponding space-time code is 
defined as follows 




( 10 ) 



From the BPSK stacking construction [1], M, P and M © P are required to be 
simultaneously full rank in order for the space-time code to achieve maximum 
diversity advantage. We assume that P is constructed according to Theorem 2. 
For non-singular M, we have M©P = (I©PM“^)M. Thus we require I©PM~^ 
to be non-singular. Begin by restricting to be partitioned as follows 



M-' = 



1 X 2 

0 I 
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and similarly let P be partitioned 



P = 



PiXi 

0 P 2 



We then obtain 



PM^^ 



Pi X 

0 P 2 



and by our assumption on P, the resulting code achieves full-spatial diversity. 
In fact for this case, M = for entries defined in F 2 . The non-systematic 
construction allows greater flexibility in the addition of non-zero terms within 
the parity check matrix H associated with the code resulting in possibly bet- 
ter performing codes (see Sect. 5.3). As an example, choosing M to have the 
following form 



M = 



10 10 
0 10 1 
0 0 10 
0 0 0 1 



We can verify that if we choose P to be as defined in the previous example, then 
M©P is full-rank. The rank of M© P is in fact full irrespective of the selection 
of the top-right 2x2 sub-matrix belonging to M^. 



5.2 QPSK Codes 

In [1], a stacking construction for QPSK space-time codes is also presented. The 
natural discrete alphabet considered is the ring Z 4 of integers modulo 4. Modu- 
lation is performed by mapping codeword symbols c G Z 4 to QPSK modulated 
symbols x G {±l,±i} where the mapping is given hy x = where i = \/— 1 . 
For a Z 4 matrix c, the binary matrices o;(c) and /3(c) are uniquely defined such 
that c = a(c) + 2/3(c). If we define the Z 4 -valued matrix c = [c(’c 2 . . . 
where is the z-th row of the codeword matrix, then the row based indicant 
projection S(c) is defined as S(c) = [q;(c^)q;(c 2 ) . . . a(c^)]^. As a result of the 
QPSK stacking construction, the stacking of Z 4 -valued matrices will produce a 
QPSK based space-time code that achieves full spatial diversity provided that 
the stacking of the corresponding S-projection matrices produces a BPSK based 
space-time code that also guarantees full-spatial diversity. This result allows the 
design of QPSK based spaced time codes to be effectively mapped back into the 
domain of BPSK space-time codes. 

We can thus use the QPSK stacking construction along with the code con- 
struction technique presented in Sect. 4 to design QPSK based space-time codes. 
In fact, for QPSK modulation, we have a greater flexibility in choosing the diag- 
onal 2x2 building blocks. For BPSK modulation, the number of possible 2x2 
building blocks was limited to two. However for QPSK, provided the modulo 2 



2 



Provided that P is full rank 
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projection results in a matrix with irreducible characteristic equation, full diver- 
sity is guaranteed. For example, the following 2x2 matrices with entries G Z 4 
result in the same row-based indicant projection matrix S 



■3 3 




'1 3 




■3 1' 




'1 3 




'1 1' 


3 0 


•) 


1 0 


5 


1 2 


5 


3 2 


4 


1 0 



5.3 Decoding Algorithm 

Detailed discussion of the decoding algorithm and the resulting performance will 
be presented elsewhere. All that will be mentioned here is that Theorem 2 allows 
construction of low density parity check matrices [20,21], suitable for application 
of the Sum-Product algorithm [19] operating on the corresponding factor graph. 
In addition, the triangular structure of P leads to a low complexity encoding 
algorithm (which is an important feature for low-density parity check codes). 
Currently we are investigating row and column degree sequences for P resulting 
in the best possible BER vs E^/Nq performance. 

6 Conclusions 

We have presented a recursive construction for systematic and non-systematic 
space-time codes for two antenna systems. The codes are guaranteed to provide 
full diversity advantage. Performance results based on the code construction 
techniques discussed will appear in a subsequent publication. 
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